CVE-2026-44740: Billy Go Library Denial-of-Service via Input Validation Flaws
Billy, a Go library that abstracts filesystem operations, contains multiple input validation flaws that can cause denial-of-service conditions. When processing untrusted repository or filesystem data, the library can panic, enter infinite loops, or consume excessive system resources due to missing safeguards like cycle detection and recursion limits. Authenticated users can trigger these conditions over the network. The issue affects versions prior to 5.9.0 and 6.0.0-alpha.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-674, CWE-835
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Billy fails to properly validate and sanitize crafted or malformed input across multiple components, resulting in uncontrolled recursion, infinite loops, and resource exhaustion. The root causes stem from insufficient input validation, absent cycle detection mechanisms, missing recursion depth limits, and inadequate handling of unexpected filesystem or repository states. The vulnerability is reachable by authenticated network users (PR:L per CVSS vector) who supply malicious data to Billy's interface abstraction layer. The library does not gracefully degrade when encountering cyclic or deeply nested structures.
Business impact
Applications using Billy are exposed to availability risks. An authenticated attacker can craft inputs that crash services or consume CPU and memory, disrupting operations. The impact is limited to availability—no data confidentiality or integrity loss occurs—but repeated attacks could enable a targeted denial-of-service campaign against systems relying on Billy for filesystem abstraction.
Affected systems
Go applications and services that depend on Billy versions prior to 5.9.0 and 6.0.0-alpha.1 are affected. The vulnerability requires authenticated network access, so it is most relevant to systems where untrusted users can send requests that Billy processes, such as microservices, build pipelines, or storage systems that parse external repository metadata or filesystem structures.
Exploitability
Exploitation requires authentication and network access, placing this at CVSS Low Complexity with a CVSS score of 6.5 (MEDIUM). An attacker must already have valid credentials or access privileges. However, once authenticated, triggering the vulnerability is trivial—sending a specially crafted input is sufficient to cause a panic or resource exhaustion. The barrier to exploitation is authentication, not technical sophistication. Billy is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this publication.
Remediation
Update Billy to version 5.9.0 or 6.0.0-alpha.1 (or later stable releases) immediately. The patched versions introduce input validation, cycle detection, recursion limits, and defensive state handling. Review your dependency tree to identify all affected services, prioritize those accepting untrusted input, and apply patches in a controlled deployment cycle.
Patch guidance
Verify the version of Billy in your Go modules (check go.mod and go.sum). For production systems, upgrade to version 5.9.0 if you are on the stable v5 line, or plan migration to v6 if adopting pre-release versions. Test patched builds in a staging environment to confirm compatibility with your application logic. For long-term users on v5, monitor Billy's release schedule for stable v6 availability.
Detection guidance
Monitor application logs for panic messages or crashes originating from Billy components, particularly when processing filesystem or repository data. Watch for sustained CPU or memory spikes during normal operations. Implement network-based detection for authentication failures followed by requests containing unusual patterns (deeply nested structures, circular references, or repeated path traversals). Consider deploying resource limits (CPU timeouts, memory quotas) on services using Billy to limit blast radius.
Why prioritize this
While CVSS 6.5 is medium severity, prioritize this based on your architecture. If Billy processes untrusted input from external sources or multi-tenant environments, upgrade immediately. If Billy is used only internally with trusted data sources, deferral to a standard patch cycle is acceptable. The lack of KEV status and exploitation details in the wild suggests low active exploitation risk, but the ease of triggering denial-of-service after authentication makes this a useful hardening target.
Risk score, explained
The CVSS 6.5 (MEDIUM) score reflects high availability impact (AV:N/AC:L/A:H) tempered by the requirement for authenticated access (PR:L). There is no confidentiality or integrity loss. The score appropriately captures a real but bounded threat—an attacker with credentials can disrupt service, but cannot breach data or escalate privileges. In zero-trust or high-multitenancy environments, treat this as higher priority.
Frequently asked questions
Do I need to patch immediately if Billy is only used for internal, trusted filesystem operations?
Not necessarily. Exploitation requires authentication and crafted input. If your application only parses filesystem data from trusted sources (e.g., your own infrastructure), the risk is lower. However, we recommend a patch within your next scheduled maintenance window to eliminate the attack surface and simplify your threat model.
Is there a workaround if I cannot patch immediately?
Implement defensive measures: run Billy-dependent services with strict resource limits (CPU and memory quotas), disable features that accept untrusted repository or filesystem data if possible, and enforce strong authentication controls. These are temporary mitigations, not substitutes for patching.
What is the difference between version 5.9.0 and 6.0.0-alpha.1?
Both versions contain the security fixes. Version 5.9.0 is a stable release on the v5 line, while 6.0.0-alpha.1 is a pre-release. If you are on v5, upgrade to 5.9.0. If you are already testing or plan to adopt v6, verify that 6.0.0-alpha.1 (or the eventual stable v6 release) is available before committing to the upgrade.
Will updating Billy break my application?
The patches focus on input validation and safety mechanisms, not API changes. Verify compatibility by testing in a non-production environment first, but breaking changes are unlikely. Consult the Billy changelog for any notes on behavioral changes.
This analysis is based on publicly available information as of June 2026. SEC.co does not provide guarantee of accuracy or completeness. Patch version numbers and vendor advisory details should be verified against official Billy release notes and security bulletins. CVSS scores reflect the NVD assessment and may differ from vendor assessments. This is educational content; conduct your own risk assessment based on your specific environment and threat model before taking action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10028MEDIUMglib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-40989MEDIUMSpring Cloud Function Infinite Recursion OOM Vulnerability
- CVE-2026-41150MEDIUMMermaid Gantt Chart DoS via Excludes Attribute
- CVE-2026-46146MEDIUMLinux Kernel USB Audio Infinite Loop DoS Vulnerability
- CVE-2026-47306MEDIUMrlottie Uncontrolled Recursion Denial-of-Service Vulnerability
- CVE-2026-47320MEDIUMrlottie Memory Safety Vulnerability – Uninitialized Pointer & Recursion Flaw
- CVE-2026-47706MEDIUMStrawberry GraphQL QueryDepthLimiter Denial of Service
- CVE-2026-46149HIGHLinux Kernel SCSI Target Memory Disclosure & DoS Vulnerability