Primary

Context

go.etcd.io bbolt Index Out-of-Range Vulnerability in Bucket.Stats

Vulnerability

A vulnerability exists in the go.etcd.io/bbolt package, specifically in the Bucket.Stats() method, which can lead to a panic due to an index-out-of-range error. This issue arises when the method encounters a branch page with zero elements, such as in cases of database corruption or partial writes. The method accesses branch page elements without verifying that the count is greater than zero, leading to an underflow and a crash. This vulnerability affects all versions of the package prior to the fix.

Impact

Exploiting this vulnerability causes a process to crash when Bucket.Stats() is called on a corrupted branch page, leading to an unrecoverable panic.

Remediation

Users can update to the latest version of go.etcd.io/bbolt, where this vulnerability has been fixed. The fix has been merged into the main branch and backported to versions 1.4 and 1.3.

Added: Apr 6, 2026, 7:19 PM

Updated: Apr 6, 2026, 7:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

5.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

5.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

go.etcd.io bbolt Index Out-of-Range Vulnerability in Bucket.Stats

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating