CVE-2024-24577: libgit2 is vulnerable to arbitrary code execution due to heap corruption in `git_index_add`

Published Feb 6, 2024
·
Updated

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to gitindexadd can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the hasdirname function in src/libgit2/index.c, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

Affected Software

8 affected componentsFixes available
debian/libgit2<=0.27.7+dfsg.1-0.2, <=1.1.0+dfsg.1-4+deb11u1, <=1.5.1+ds-1
0.27.7+dfsg.1-0.2+deb10u21.1.0+dfsg.1-4+deb11u21.5.1+ds-1+deb12u11.7.2+ds-1
ubuntu/libgit2<0.26.0+dfsg.1-1.1ubuntu0.2+
0.26.0+dfsg.1-1.1ubuntu0.2+
ubuntu/libgit2<0.28.4+dfsg.1-2ubuntu0.1
0.28.4+dfsg.1-2ubuntu0.1
ubuntu/libgit2<1.1.0+dfsg.1-4.1ubuntu0.1
1.1.0+dfsg.1-4.1ubuntu0.1
ubuntu/libgit2<1.5.1+
1.5.1+
ubuntu/libgit2<0.24.1-2ubuntu0.2+
0.24.1-2ubuntu0.2+
libgit2 libgit2<1.6.5
libgit2 libgit2>=1.7.0<1.7.2

Event History

Feb 6, 2024
CVE Published
via Ubuntu·12:00 AM
CVE Published
via MITRE·09:36 PM
Data Sourced
via MITRE·09:36 PM
DescriptionSeverityWeakness
Mar 5, 2024
Data Sourced
via Launchpad·10:35 PM
Description
Data Sourced
via Debian·10:35 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-24577?

CVE-2024-24577 is classified as a critical vulnerability due to its potential for arbitrary code execution.

2

How do I fix CVE-2024-24577?

To remediate CVE-2024-24577, upgrade to a version of libgit2 that is 1.6.5 or newer.

3

What versions of libgit2 are affected by CVE-2024-24577?

CVE-2024-24577 affects libgit2 versions before 1.6.5 and between 0.24.1 and 1.7.2.

4

What are the risks associated with CVE-2024-24577?

Exploitation of CVE-2024-24577 could lead to heap corruption, allowing an attacker to execute arbitrary code.

5

Is CVE-2024-24577 present in Debian or Ubuntu distributions?

Yes, CVE-2024-24577 is present in several Debian and Ubuntu packages of libgit2 prior to the specified remedial versions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203