VYPR
← All advisories
High severity7.8NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-48864

CVE-2026-48864

Description

A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within .solv files due to insufficient input validation. An attacker can provide a specially crafted .solv file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in libsolv's repopage.c occurs when decompressing attacker-controlled compressed data in .solv files, leading to out-of-bounds memory access.

Vulnerability

A heap buffer overflow vulnerability exists in libsolv, specifically in the repopagestore_load_page_range and repopagestore_read_or_setup_pages functions in src/repopage.c. The flaw occurs when decompressing attacker-controlled compressed data within .solv files. The code calls unchecked_decompress_buf without first validating the required output length or back-reference safety, allowing out-of-bounds memory reads and writes. Affected versions include at least libsolv-0.7.36 and likely other releases containing the same vulnerable code paths [1][2].

Exploitation

To exploit this vulnerability, an attacker must supply a specially crafted .solv file or attacker-controlled repository metadata with malicious compressed page data. No prior privileges on the target system are required. The victim must ingest the malicious content through a vulnerable application that parses .solv files using the normal loading flow. The attack requires user interaction (UI:R) as the victim must cause the application to process the crafted file, but no further authentication is needed (PR:N) [2].

Impact

Successful exploitation can lead to out-of-bounds memory access, resulting in information disclosure (confidentiality), alteration of program execution (integrity), or a denial of service (availability). The CVSS v3 score is 7.8 (High) with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high impact on all three CIA pillars within the vulnerable component's security scope [1][2].

Mitigation

A proposed fix has been suggested by security researchers, but an official upstream release fixing the issue has not been confirmed as of the publication date. Affected users should monitor the libsolv project for updated versions. No workarounds are documented in the available references. As of now, this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. cve-details
  2. Heap buffer overflow in libsolv repopagestore via unchecked decompression of malicious .solv page data

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation before decompression allows heap buffer overflow via attacker-controlled compressed page data."

Attack vector

An attacker supplies a crafted `.solv` file containing compressed page data that either decompresses to more than `REPOPAGE_BLOBSIZE` (32 KB) or uses a back-reference offset larger than the already-produced data. When a victim application loads this file through normal parsing flows (e.g., `repo_add_solv`), the `unchecked_decompress_buf` function writes past the destination buffer (out-of-bounds write) or reads from invalid memory via a malicious back-reference (out-of-bounds read) [ref_id=1]. No privileges on the target are required, but the victim must ingest the malicious `.solv` content [ref_id=1].

Affected code

The vulnerable code is in `src/repopage.c` within the functions `repopagestore_load_page_range` and `repopagestore_read_or_setup_pages`. Both call `unchecked_decompress_buf` on attacker-controlled compressed page data without first calling `check_decompress_buf` to validate the decompressed size or back-reference safety [ref_id=1].

What the fix does

The proposed fix inserts a call to `check_decompress_buf` before `unchecked_decompress_buf` in both vulnerable code paths. It validates that the required decompressed length (`need_len`) is non-zero, does not exceed `REPOPAGE_BLOBSIZE`, and matches the expected page size. If validation fails, the function returns an error (0 or `SOLV_ERROR_CORRUPT`) instead of proceeding with decompression [ref_id=1]. This mirrors a safer pattern already present elsewhere in `src/repopage.c` [ref_id=1].

Preconditions

  • inputVictim must load a crafted .solv file or attacker-controlled repository metadata
  • authNo privileges on the target system required
  • networkVictim must cause a vulnerable libsolv consumer to parse the malicious content (user interaction)

Reproduction

1. Build libsolv with AddressSanitizer (`-fsanitize=address`) and debug symbols. 2. Prepare a `.solv` file containing vertical page data marked as compressed, where the compressed stream either decompresses beyond `REPOPAGE_BLOBSIZE` (32 KB) or uses a back-reference offset larger than the amount of data already produced. 3. Load the file via normal `.solv` parsing flow (e.g., through `repo_add_solv`, `repopagestore_read_or_setup_pages`, or `repopagestore_load_page_range`). 4. Observe an ASan crash such as `heap-buffer-overflow` or invalid read during `unchecked_decompress_buf` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.