cvedb.io
CVE-2026-44471
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-05-13T22:16:46.057 · Last modified 2026-06-17T10:50:41.590

Summary

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack. gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs invokes only delegate.push_directory(), never delegate.push(). In gix_worktree::stack::delegate::StackDelegate, when the state member is Sta

Affected products

gitoxidelabs — gix-fs

Does this affect you?

Add your gear to cvedb and we'll alert you only when gitoxidelabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.