Git LFS update fixes three security risks

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Git LFS update fixes three security risks

ALSA-2026:3928

Summary

Update Git Large File Storage to prevent denial of service and memory exhaustion issues. This update is necessary to ensure the security and stability of your Git repository. Apply the update as soon as possible to protect your files and data.

What to do

Update almalinux git-lfs to version 3.6.1-7.el9_7.

Affected software

Vendor	Product	Affected versions	Fix available
almalinux	git-lfs	<= 3.6.1-7.el9_7	3.6.1-7.el9_7

Original title

Important: git-lfs security update

Original description

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

https://access.redhat.com/errata/RHSA-2026:3928 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-61729 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-68121 Third Party Advisory
https://bugzilla.redhat.com/2418462 Third Party Advisory
https://bugzilla.redhat.com/2434432 Third Party Advisory
https://bugzilla.redhat.com/2437111 Third Party Advisory
https://errata.almalinux.org/9/ALSA-2026-3928.html Vendor Advisory

Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026