VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 21, 2026

CVE-2026-9149

CVE-2026-9149

Description

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in libsolv's repo_add_solv function lets remote attackers cause denial of service by processing crafted .solv files with negative size values.

Vulnerability

A heap buffer overflow vulnerability exists in the repo_add_solv function of libsolv versions up to and including 0.7.36. The flaw occurs when parsing specially crafted .solv files containing maliciously large maxsize or allsize header values. The read_id() function decodes these values as unsigned, but they are assigned to signed int variables, causing an integer overflow. The resulting negative value is later coerced to an unsigned size_t when passed to solv_calloc(), leading to an undersized heap allocation. Subsequent fread() calls use a fixed chunk size of DATA_READ_CHUNK (8192 bytes), causing an out-of-bounds write [2][3].

Exploitation

An attacker needs to deliver a crafted .solv file to a victim and convince them to process it with a libsolv-based tool (e.g., dumpsolv) or an application that calls repo_add_solv() on untrusted input. No authentication is required beyond the ability to supply the file. Once the file is parsed, the integer overflow in maxsize or allsize (e.g., a value like 4294959095 decodes to a large negative number) triggers the undersized allocation and heap overflow during the subsequent fread() [2][3].

Impact

Successful exploitation allows an attacker to cause a denial of service (DoS) due to heap memory corruption. The crash is reproducible with proof-of-concept .solv files. The impact is rated as CVSS 6.5 (Medium) because remote exploitation requires user interaction to process the crafted file, and in many contexts the vulnerable code path is not reached by default [1][2]. Reliable remote code execution (RCE) is not demonstrated in available references.

Mitigation

No official patch version is yet released as of the publication date; the fix is pending (version TBD) [2]. Upstream has a pull request (#617) addressing the integer overflow [3]. Until a patched version is available, the primary mitigation is to only consume .solv files from trusted sources and avoid parsing untrusted or unverified .solv files [2]. Organizations should monitor the libsolv project for a patched release.

References
  1. cve-details
  2. Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file
  3. Cope with integer overflow in data size arithmetics in repo_add_solv() by ppisar · Pull Request #617 · openSUSE/libsolv

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.