CVE-2021-3200
Description
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32- libsolv/libsolvdescription
- osv-coords30 versionspkg:rpm/almalinux/libsolv-develpkg:rpm/almalinux/libsolv-toolspkg:rpm/suse/libsolv&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libsolv&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libsolv&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libsolv&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libsolv&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/libzypp&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 0.7.19-1.el8+ 29 more
- (no CPE)range: < 0.7.19-1.el8
- (no CPE)range: < 0.7.19-1.el8
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.27.24.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 0.6.37-2.33.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-27.75.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
- (no CPE)range: < 16.21.4-2.51.1
Patches
Vulnerability mechanics
Root cause
"Missing bounds check in MAPCLR macro allows heap-buffer-overflow when index p>>3 exceeds the allocated map size."
Attack vector
An attacker supplies a crafted testcase file to the `testsolv` tool [ref_id=1]. When `testcase_read` processes this input, the index variable `p` can be large enough that `p >> 3` exceeds `pool->considered->size`, causing a heap-buffer-overflow read on the `map` array [ref_id=1]. The overflow occurs at line 2334 during the `FOR_JOB_SELECT` loop where `MAPCLR` is called without bounds checking [ref_id=1]. This can be triggered remotely by providing a malicious testcase file, leading to a denial of service.
Affected code
The vulnerability resides in the `testcase_read` function at `src/testcase.c:2334` [ref_id=1]. At this line, the macro `MAPCLR(pool->considered, p)` is invoked, which expands to `pool->considered->map[p >> 3] &= ~(1 << (p & 7))` [ref_id=1]. The `pool->considered` variable is a `Map` structure containing a `map` (unsigned char pointer) and a `size` field [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation guidance [ref_id=1]. To fix the vulnerability, bounds checking should be added before the `MAPCLR` operation at line 2334 to ensure that `p >> 3` is less than `pool->considered->size` [ref_id=1]. Without such a check, an attacker-controlled index can write outside the allocated heap buffer.
Preconditions
- inputAttacker must supply a crafted testcase file to the testsolv tool
- configThe pool->considered map must be initialized with a size smaller than the index p>>3 used in MAPCLR
Reproduction
Use the provided PoC file with the testsolv tool: `/libsolvBuildDir/tools/testsolv PoC-testcase_read-2334` [ref_id=1]. When built with AddressSanitizer (`-fsanitize=address`), the tool will report a heap-buffer-overflow at `src/testcase.c:2334` [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/openSUSE/libsolv/issues/416mitrex_refsource_MISC
- github.com/yangjiageng/PoC/blob/master/libsolv-PoCs/PoC-testcase_read-2334mitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.