{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33817", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.815Z", "datePublished": "2026-04-06T18:13:23.996Z", "dateUpdated": "2026-04-06T19:25:23.842Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-06T18:13:23.996Z"}, "title": "Vulnerability in go.etcd.io/bbolt", "descriptions": [{"lang": "en", "value": "Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt"}], "affected": [{"vendor": "go.etcd.io/bbolt", "product": "go.etcd.io/bbolt", "collectionURL": "https://pkg.go.dev", "packageName": "go.etcd.io/bbolt", "programRoutines": [{"name": "Bucket.Stats"}, {"name": "Bucket.CreateBucket"}, {"name": "Bucket.CreateBucketIfNotExists"}, {"name": "Bucket.Delete"}, {"name": "Bucket.DeleteBucket"}, {"name": "Bucket.ForEach"}, {"name": "Bucket.ForEachBucket"}, {"name": "Bucket.MoveBucket"}, {"name": "Bucket.NextSequence"}, {"name": "Bucket.Put"}, {"name": "Bucket.SetSequence"}, {"name": "Compact"}, {"name": "Cursor.Delete"}, {"name": "DB.Batch"}, {"name": "DB.Begin"}, {"name": "DB.Close"}, {"name": "DB.Sync"}, {"name": "DB.Update"}, {"name": "DB.View"}, {"name": "DefaultLogger.Debug"}, {"name": "DefaultLogger.Debugf"}, {"name": "DefaultLogger.Error"}, {"name": "DefaultLogger.Errorf"}, {"name": "DefaultLogger.Fatal"}, {"name": "DefaultLogger.Fatalf"}, {"name": "DefaultLogger.Info"}, {"name": "DefaultLogger.Infof"}, {"name": "DefaultLogger.Panic"}, {"name": "DefaultLogger.Panicf"}, {"name": "DefaultLogger.Warning"}, {"name": "DefaultLogger.Warningf"}, {"name": "Open"}, {"name": "Tx.Check"}, {"name": "Tx.Commit"}, {"name": "Tx.Copy"}, {"name": "Tx.CopyFile"}, {"name": "Tx.CreateBucket"}, {"name": "Tx.CreateBucketIfNotExists"}, {"name": "Tx.DeleteBucket"}, {"name": "Tx.ForEach"}, {"name": "Tx.MoveBucket"}, {"name": "Tx.Rollback"}, {"name": "Tx.WriteTo"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://github.com/etcd-io/bbolt/pull/1171/changes/386d5b69785937d1aa20cb25c8439404cf398143"}, {"url": "https://github.com/golang/vulndb/issues/4923"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4923"}], "credits": [{"lang": "en", "value": "Quoc Bui (github.com/quocvibui)"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:24:37.514979Z", "id": "CVE-2026-33817", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:25:23.842Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:24:37.514979Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:23:47.201Z"}}], "cna": {"title": "Vulnerability in go.etcd.io/bbolt", "credits": [{"lang": "en", "value": "Quoc Bui (github.com/quocvibui)"}], "affected": [{"vendor": "go.etcd.io/bbolt", "product": "go.etcd.io/bbolt", "packageName": "go.etcd.io/bbolt", "collectionURL": "https://pkg.go.dev", "defaultStatus": "affected", "programRoutines": [{"name": "Bucket.Stats"}, {"name": "Bucket.CreateBucket"}, {"name": "Bucket.CreateBucketIfNotExists"}, {"name": "Bucket.Delete"}, {"name": "Bucket.DeleteBucket"}, {"name": "Bucket.ForEach"}, {"name": "Bucket.ForEachBucket"}, {"name": "Bucket.MoveBucket"}, {"name": "Bucket.NextSequence"}, {"name": "Bucket.Put"}, {"name": "Bucket.SetSequence"}, {"name": "Compact"}, {"name": "Cursor.Delete"}, {"name": "DB.Batch"}, {"name": "DB.Begin"}, {"name": "DB.Close"}, {"name": "DB.Sync"}, {"name": "DB.Update"}, {"name": "DB.View"}, {"name": "DefaultLogger.Debug"}, {"name": "DefaultLogger.Debugf"}, {"name": "DefaultLogger.Error"}, {"name": "DefaultLogger.Errorf"}, {"name": "DefaultLogger.Fatal"}, {"name": "DefaultLogger.Fatalf"}, {"name": "DefaultLogger.Info"}, {"name": "DefaultLogger.Infof"}, {"name": "DefaultLogger.Panic"}, {"name": "DefaultLogger.Panicf"}, {"name": "DefaultLogger.Warning"}, {"name": "DefaultLogger.Warningf"}, {"name": "Open"}, {"name": "Tx.Check"}, {"name": "Tx.Commit"}, {"name": "Tx.Copy"}, {"name": "Tx.CopyFile"}, {"name": "Tx.CreateBucket"}, {"name": "Tx.CreateBucketIfNotExists"}, {"name": "Tx.DeleteBucket"}, {"name": "Tx.ForEach"}, {"name": "Tx.MoveBucket"}, {"name": "Tx.Rollback"}, {"name": "Tx.WriteTo"}]}], "references": [{"url": "https://github.com/etcd-io/bbolt/pull/1171/changes/386d5b69785937d1aa20cb25c8439404cf398143"}, {"url": "https://github.com/golang/vulndb/issues/4923"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4923"}], "descriptions": [{"lang": "en", "value": "Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-06T18:13:23.996Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33817", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:25:23.842Z", "dateReserved": "2026-03-23T20:35:32.815Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-06T18:13:23.996Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt"}], "id": "CVE-2026-33817", "lastModified": "2026-04-06T20:16:23.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-06T19:16:27.677", "references": [{"source": "security@golang.org", "url": "https://github.com/etcd-io/bbolt/pull/1171/changes/386d5b69785937d1aa20cb25c8439404cf398143"}, {"source": "security@golang.org", "url": "https://github.com/golang/vulndb/issues/4923"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4923"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "go.etcd.io/bbolt", "source": "cna", "vendor": "go.etcd.io/bbolt"}, "product": "bbolt", "vendor": "etcd-io"}], "analysis": {"en": {"generated_at": "2026-04-07T02:09:40.709384+00:00", "value": {"mitigation_remediation": ["Check the version of go.etcd.io/bbolt used in your applications.", "Apply the latest bbolt release that incorporates the fix from the pull request linked in the advisory.", "If an immediate upgrade is not possible, sanitize database inputs to avoid branch pages with no elements and implement application\u2011level panic recovery."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The weakness resides in the bbolt key\u2011value storage library used by etcd and other Go programs. Any application that links to an older bbolt release and processes database files may be impacted, regardless of the operating system. The CVE data does not specify affected versions, so all releases predating the referenced patch are considered vulnerable.", "description_and_impact": "The bug in the go.etcd.io/bbolt package triggers an index\u2010out\u2010of\u2010range condition when a branch page has zero elements. This out\u2011of\u2011bounds read (CWE\u2011125) causes a panic that crashes the host process, thus denying availability of any application using the database. The vulnerability does not directly compromise confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 6.2 classifies the issue as medium severity. EPSS information is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating limited known exploitation. An attacker would need to influence the contents of a bbolt database (e.g., by uploading a crafted file or manipulating data through an exposed API) to trigger the panic. The risk is therefore moderate and tied to how the library is exposed to external input."}}}}, "created": "2026-04-07T06:54:46.098057+00:00", "updated": "2026-04-07T09:37:50.821417+00:00", "vendors": ["etcd-io", "etcd-io$PRODUCT$bbolt"]}