CVE Rejected
This CVE has been officially rejected and is no longer considered a valid vulnerability. It may have been a duplicate, found to be non-exploitable, or withdrawn by the reporter.
Platform
go
Component
go.etcd.io/bbolt
Fixed in
1.10.0
2.5.4
1.4.4
CVE-2026-33817 describes an index out-of-range error within the go.etcd.io/bbolt library. This condition arises when the library encounters a branch page containing zero elements, potentially resulting in a denial-of-service (DoS) scenario. The vulnerability affects versions of go.etcd.io/bbolt up to and including 1.4.3, with a fix available in version 2.5.4.
The core impact of CVE-2026-33817 is a potential denial-of-service. An attacker who can trigger this condition – by crafting specific data or manipulating the state of the database – could cause the go.etcd.io/bbolt library to crash or become unresponsive. This could disrupt applications relying on the library for persistent storage. While the vulnerability doesn't directly lead to data exfiltration or remote code execution, the DoS impact can be significant, especially in critical systems where data availability is paramount. The withdrawn advisory status indicates a false positive determination, but the original description highlights a potential instability issue.
This CVE was initially reported and publicly disclosed on 2026-04-06. However, the CVE Numbering Authority subsequently withdrew the advisory, classifying the issue as a false positive. Therefore, there are no known public proof-of-concept exploits or active campaigns targeting this vulnerability. The EPSS score is not applicable due to the withdrawn status. The vulnerability is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33817 is to upgrade to version 2.5.4 or later of the go.etcd.io/bbolt library. If an immediate upgrade is not feasible due to compatibility constraints or testing requirements, consider implementing input validation to prevent the creation of branch pages with zero elements. This might involve carefully scrutinizing data being written to the database. While a WAF or proxy cannot directly mitigate this vulnerability, ensuring the underlying system is patched is crucial. After upgrading, confirm the fix by attempting to reproduce the original condition (encountering a branch page with zero elements) and verifying that the application remains stable.
Update to version 2.5.4 or higher to avoid the index out-of-range error. This update fixes an issue that could occur when processing branch pages with zero elements, which could lead to unexpected behavior or application crashes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33817 is a denial-of-service vulnerability in go.etcd.io/bbolt versions <=1.4.3, caused by an index out-of-range error when encountering a branch page with zero elements. It has been withdrawn as a false positive.
If you are using go.etcd.io/bbolt versions 1.4.3 or earlier, you were potentially at risk. However, the advisory has been withdrawn, classifying the issue as a false positive.
The recommended fix is to upgrade to version 2.5.4 or later of go.etcd.io/bbolt. Input validation can be considered as a temporary workaround.
No, CVE-2026-33817 is not being actively exploited. The advisory has been withdrawn due to a false positive determination.
The original advisory has been withdrawn. Refer to the CVE details for more information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33817
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.