{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9149", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-05-20T22:08:56.611Z", "datePublished": "2026-05-20T23:34:56.473Z", "dateUpdated": "2026-05-20T23:34:56.473Z"}, "containers": {"cna": {"title": "Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS)."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Hardened Images", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:hummingbird:1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "satellite-capsule:el8/libsolv", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:satellite:6"]}, {"vendor": "Red Hat", "product": "Red Hat Update Infrastructure 4 for Cloud Providers", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsolv", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:rhui:4::el8"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9149", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460380", "name": "RHBZ#2460380", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/openSUSE/libsolv/pull/617"}], "datePublic": "2026-05-20T22:19:32.560Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow", "workarounds": [{"lang": "en", "value": "To mitigate this issue, avoid processing untrusted `.solv` files with libsolv or any applications that consume `.solv` input. Ensure that all `.solv` data processed by the system originates from trusted sources only."}], "timeline": [{"lang": "en", "time": "2026-04-21T21:20:01.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-20T22:19:32.560Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Found by AISLE in partnership with Red Hat."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-20T23:34:56.473Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS)."}], "id": "CVE-2026-9149", "lastModified": "2026-05-21T00:16:35.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-05-21T00:16:35.630", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-9149"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460380"}, {"source": "secalert@redhat.com", "url": "https://github.com/openSUSE/libsolv/pull/617"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "libsolv: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file", "id": "2460380", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460380"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["MANUALLY_VERIFIED_REPORT\npackage: libsolv-0.7.33-2.el10\n------\n[Security] Heap Buffer Overflow in repo_add_solv via Negative maxsize\nSummary: Heap buffer overflow in `repo_add_solv` when parsing attacker-controlled `.solv` files; large encoded `maxsize`/`allsize` header values can decode to negative signed `Id` values, leading to undersized heap allocation while a subsequent `fread` uses `DATA_READ_CHUNK` (8192) bytes.\nRequirements to exploit: Ability to supply a crafted `.solv` file that a victim processes with libsolv (directly or via a consumer such as `dumpsolv` or an application that calls `repo_add_solv` on untrusted input).\nComponent affected: libsolv\nVersion affected: <= 0.7.36\nVersion fixed (if any already): >= TBD\nCVSS: 6.5 (Medium) \u2014 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\nImpact: Moderate (proposed). Per https://access.redhat.com/security/updates/classification this is memory corruption reachable via untrusted `.solv` ingestion and can at least cause a denial of service; it is not clearly \"High\" because an attacker typically needs the victim to process attacker-controlled input (configuration/user action) and reliable system compromise is not demonstrated here. This may be \"Low\" instead in product contexts where the vulnerable path is not used by default, is only reachable via uncommon workflows, or is effectively mitigated (e.g., only trusted solvdb is processed).\nEmbargo: no\nAcknowledgement: Aisle Research\nSteps to reproduce if available: See \"Reproduction steps\" below.\nMitigation if available: Prefer only consuming trusted `.solv` / solvdb inputs; avoid parsing untrusted `.solv` files until patched.\nOriginal report:\nHello libsolv maintainers,\nWe believe that we have discovered a potential security vulnerability in `repo_add_solv` when parsing attacker-controlled `.solv` files.\n### Vulnerability details\n`read_id` decodes into an unsigned value and returns `Id` (signed `int`), so large encoded values can become negative after conversion:\n```c\n/* src/repo_solv.c */\nstatic Id\nread_id(Repodata *data, Id max)\n{\nunsigned int x = 0;\n...\nreturn x;\n}\n```\nIn `repo_add_solv`, `maxsize` and `allsize` are read with `max=0` (no bounds check), then used for allocation and read length:\n```c\n/* src/repo_solv.c */\nmaxsize = read_id(&data, 0);\nallsize = read_id(&data, 0);\nmaxsize += 5;\nif (maxsize > allsize)\nmaxsize = allsize;\nbuf = solv_calloc(maxsize + DATA_READ_CHUNK + 4, 1);\nl = maxsize;\nif (l < DATA_READ_CHUNK)\nl = DATA_READ_CHUNK;\nif (l > allsize)\nl = allsize;\nif (!l || fread(buf, l, 1, data.fp) != 1)\n```\nIf `maxsize` is negative, `solv_calloc(maxsize + 8192 + 4, 1)` can allocate a much smaller buffer, but `l` is then raised to `8192`, and `fread` writes `8192` bytes into that undersized heap buffer.\nMost relevant CWEs:\n- `CWE-122` (Heap-based Buffer Overflow): direct overflow sink.\n- `CWE-20` (Improper Input Validation): negative header fields are accepted.\n- `CWE-195` (Signed to Unsigned Conversion Error): signed `int` values flow into allocation sizing.\n### Reproduction steps\n1. Build libsolv with ASAN (or run a consumer binary that calls `repo_add_solv` on `.solv` input, e.g. `dumpsolv`).\n2. Run the parser on this file (`dumpsolv crafted.solv` or equivalent).\n### Crash:\n[root@c28a4ffb0823 workspace]# ./build-asan/tools/dumpsolv ./vuln_1_101_1_negative_maxsize.solv\n=================================================================\n==542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000b1 at pc 0x00000041fb3c bp 0x7ffffffc5fd0 sp 0x7ffffffc5798\nWRITE of size 8192 at 0x5020000000b1 thread T0\n#0 0x00000041fb3b (/workspace/build-asan/tools/dumpsolv+0x41fb3b) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#1 0x7fffff662147 (/workspace/build-asan/src/libsolv.so.1+0x57147) (BuildId: ebfff12c035b97f95b2d532a1d6d237ac31e770a)\n#2 0x0000004e45fe (/workspace/build-asan/tools/dumpsolv+0x4e45fe) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#3 0x7fffff2f0447 (/lib64/libc.so.6+0x3447) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#4 0x7fffff2f050a (/lib64/libc.so.6+0x350a) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#5 0x000000401514 (/workspace/build-asan/tools/dumpsolv+0x401514) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n0x5020000000b1 is located 0 bytes after 1-byte region [0x5020000000b0,0x5020000000b1)\nallocated by thread T0 here:\n#0 0x0000004a1343 (/workspace/build-asan/tools/dumpsolv+0x4a1343) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#1 0x7fffff6b6be6 (/workspace/build-asan/src/libsolv.so.1+0xabbe6) (BuildId: ebfff12c035b97f95b2d532a1d6d237ac31e770a)\n#2 0x7fffff662100 (/workspace/build-asan/src/libsolv.so.1+0x57100) (BuildId: ebfff12c035b97f95b2d532a1d6d237ac31e770a)\n#3 0x0000004e45fe (/workspace/build-asan/tools/dumpsolv+0x4e45fe) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#4 0x7fffff2f0447 (/lib64/libc.so.6+0x3447) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#5 0x7fffff2f050a (/lib64/libc.so.6+0x350a) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#6 0x000000401514 (/workspace/build-asan/tools/dumpsolv+0x401514) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\nSUMMARY: AddressSanitizer: heap-buffer-overflow (/workspace/build-asan/tools/dumpsolv+0x41fb3b) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc) \nShadow bytes around the buggy address:\n0x501ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x502000000000: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 04 fa\n=>0x502000000080: fa fa 04 fa fa fa[01]fa fa fa fa fa fa fa fa fa\n0x502000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n### Proposed fix\n```diff\ndiff --git a/src/repo_solv.c b/src/repo_solv.c\n@@\nmaxsize = read_id(&data, 0);\nallsize = read_id(&data, 0);\n+ if (maxsize < 0 || allsize < 0)\n+ {\n+ data.error = pool_error(pool, SOLV_ERROR_CORRUPT, \"negative data size in solv header\");\n+ id = 0;\n+ goto data_error;\n+ }\n+ if (maxsize > INT_MAX - 5)\n+ {\n+ data.error = pool_error(pool, SOLV_ERROR_OVERFLOW, \"data size overflow in solv header\");\n+ id = 0;\n+ goto data_error;\n+ }\nmaxsize += 5; /* so we can read the next schema of an array */\nif (maxsize > allsize)\nmaxsize = allsize;\n@@\nif (keydepth)\ndata.error = pool_error(pool, SOLV_ERROR_EOF, \"unexpected EOF, depth = %d\", keydepth);\n@@\n+data_error:\n```\nBest wishes,\nAisle Research\n------\nThis report was generated using AI technology. Always review AI-generated content prior to use"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted `.solv` files with libsolv or any applications that consume `.solv` input. Ensure that all `.solv` data processed by the system originates from trusted sources only."}, "name": "CVE-2026-9149", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libsolv", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libsolv", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libsolv", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libsolv", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "libsolv", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite-capsule:el8/libsolv", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Fix deferred", "package_name": "libsolv", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2026-05-20T22:19:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-9149\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9149\nhttps://github.com/openSUSE/libsolv/pull/617"], "statement": "Moderate: A heap buffer overflow flaw was found in libsolv's `repo_add_solv` function. This issue occurs when processing specially crafted `.solv` files with negative size values, leading to an undersized memory allocation and subsequent out-of-bounds write. Exploitation requires a victim to process attacker-controlled `.solv` input, which can result in a denial of service.", "threat_severity": "Moderate"}