Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10554

dulwich is vulnerable to Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Apr 24, 2026

78

High Risk

This Affects:

PYTHONdulwich
0.0.1 - 1.1.0
Fixed in 1.2.0
Are you affected? Scan for Free

TL;DR

The GPG signature verification path in GPGSignatureVendor only treated a narrow GPG error type as a verification failure, so other GPG failure modes and the empty-signature case could be handled without a consistent BadSignature outcome. The object store, pack reading, and index change detection paths could consume very large memory or perform unbounded stat work on large trees because there were no configured caps for mmap footprint, delta base cache size, or stat budget. The Git smart server support is extended so push operations can honor an atomic option and avoid applying ref updates in a half-updated way when the client requests it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

dulwich is vulnerable to Improper Verification of Cryptographic Signature in versions 0.0.1 - 1.1.0.

How to fix this

Upgrade the dulwich library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done