Skip to main content

libsolv CVE-2026-9149

| EUVDEUVD-2026-31201 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-21 secalert@redhat.com GHSA-9q56-xf64-q987
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 00:28 vuln.today
Analysis Generated
May 21, 2026 - 00:28 vuln.today

DescriptionNVD

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

AnalysisAI

Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.

Technical ContextAI

libsolv is an open-source dependency-solving library maintained by openSUSE and widely consumed by RPM-based package managers including dnf (Fedora/RHEL) and zypper (SUSE/openSUSE). The vulnerable code path is repo_add_solv() in src/repo_solv.c, which deserializes binary .solv repository metadata files. CWE-122 (Heap-based Buffer Overflow) applies: the function reads maxsize and allsize integer fields from the .solv header and uses them directly to drive heap allocation without first validating for negative values or near-integer-maximum overflow. A negative value passes as a small positive size after implicit sign conversion or arithmetic, resulting in an allocation far smaller than the data that follows, and subsequent writes to that buffer corrupt adjacent heap memory. The fix introduced in PR #617 adds an include of <limits.h> and inserts two guards in repo_add_solv(): one rejecting negative maxsize or allsize values with a SOLV_ERROR_CORRUPT error, and a second rejecting maxsize values exceeding INT_MAX - 5 with SOLV_ERROR_OVERFLOW, both branching to a new data_error cleanup label for controlled error handling.

RemediationAI

Apply the upstream fix from openSUSE/libsolv GitHub PR #617 (https://github.com/openSUSE/libsolv/pull/617), which adds negative-value and integer-overflow guards to repo_add_solv() in src/repo_solv.c before any heap allocation is performed. Upstream fix available (PR/commit); a released patched version with a confirmed tag or version number is not independently confirmed from available data - monitor the libsolv release page and the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9149 and Bugzilla #2460380 for a confirmed patch release. As a compensating control prior to patching, restrict all .solv file sources processed by the system to integrity-verified, GPG-signed official mirrors, which denies the attacker the delivery vector needed to supply a malicious .solv file; note that this does not eliminate the vulnerability but removes the practical attack path. Additionally, avoid adding third-party or untrusted repository sources to package manager configurations until a patched release is confirmed and deployed.

CVE-2021-33938 HIGH POC
7.5 Sep 02

Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers

CVE-2021-33930 HIGH POC
7.5 Sep 02

Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows at

CVE-2021-33929 HIGH POC
7.5 Sep 02

Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers

CVE-2021-33928 HIGH POC
7.5 Sep 02

Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to ca

CVE-2018-20534 MEDIUM POC
6.5 Dec 28

There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of s

CVE-2018-20533 MEDIUM POC
6.5 Dec 28

There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv thr

CVE-2018-20532 MEDIUM POC
6.5 Dec 28

There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2

CVE-2026-48863 HIGH
7.5 Jul 16

Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack

CVE-2021-3200 LOW POC
3.3 May 18

Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *tes

CVE-2026-9150 MEDIUM
6.5 May 20

Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a deni

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-9149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy