[GHSA-6jwv-w5xf-7j27] go.etcd.io/bbolt affected by index out-of-range vulnerability

advisories/github-reviewed/2026/04/GHSA-6jwv-w5xf-7j27/GHSA-6jwv-w5xf-7j27.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6jwv-w5xf-7j27",
-  "modified": "2026-04-08T00:15:13Z",
+  "modified": "2026-04-08T00:15:14Z",
   "published": "2026-04-06T21:31:34Z",
   "aliases": [
     "CVE-2026-33817"
   ],
-  "summary": "go.etcd.io/bbolt affected by index out-of-range vulnerability",
-  "details": "Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt",
+  "summary": "go.etcd.io/bbolt can panic on malformed branch page with zero elements (DoS)",
+  "details": "`go.etcd.io/bbolt` may panic with an index out-of-range error when traversing a malformed/corrupted branch page that contains zero elements.\n\n### Impact\nThis is primarily an availability issue (panic / process crash / denial of service) when the vulnerable code path is reached while reading crafted database contents.\n\n### Exploitation prerequisites\nExploitation requires attacker-controlled or corrupted BoltDB file contents. This is typically not remotely triggerable unless an attacker can influence the database file (for example via writable shared volumes, weak filesystem permissions, or prior local compromise).\n\n### Mitigations\n- Restrict ownership and permissions of BoltDB files and parent directories.\n- Prevent untrusted write access to storage paths containing BoltDB files.\n- Use backups and corruption-recovery procedures.\n\nIf no fixed release is available yet, consumers should apply the mitigations above and monitor upstream for a patched version.\n",
   "severity": [
     {
       "type": "CVSS_V3",