CVE-2026-40034

NameCVE-2026-40034
Descriptiongix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-gix-submodule (PTS)trixie0.16.0-1vulnerable
forky, sid0.30.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-gix-submodulesource(unstable)(unfixed)

Notes

[trixie] - rust-gix-submodule <no-dsa> (Minor issue)
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65
Introduced with: https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0

Search for package or bug name: Reporting problems