VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 20, 2026

CVE-2026-9150

CVE-2026-9150

Description

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack-based buffer overflow in libsolv's Debian metadata parser allows denial of service via crafted SHA384 or SHA512 checksums.

Vulnerability

A stack-based buffer overflow vulnerability exists in libsolv's Debian metadata parser, specifically in the control2solvable() function. The flaw occurs when processing specially crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The checksum string is copied into a stack-allocated buffer of size char checksum[32 * 2 + 1] (65 bytes), but SHA384 (96 hex chars) and SHA512 (128 hex chars) checksums exceed this capacity, leading to memory corruption. Affected versions include all libsolv releases prior to the fix implemented in pull request #616 [2][3].

Exploitation

An attacker can exploit this vulnerability by providing a malicious Debian repository metadata file (e.g., a Packages file) that includes a SHA384: or SHA512: tag with an overly long checksum value. When libsolv parses this metadata using tools such as deb2solv, the strcpy() operation in control2solvable() writes beyond the allocated buffer [3]. The attacker does not require authentication; the vulnerability is triggered simply by feeding the crafted data to a libsolv-based application. No user interaction is needed beyond the processing of the repository metadata [1].

Impact

Successful exploitation results in memory corruption, leading to a denial of service (DoS). The crash is observed as a stack-buffer-overflow error, as demonstrated with AddressSanitizer output showing a write of 129 bytes into a 65-byte buffer [3]. The impact is limited to availability, with potential for application termination or instability. No code execution or privilege escalation has been reported [1].

Mitigation

The fix is available in libsolv pull request #616, which enlarges the checksum buffer to accommodate SHA384 and SHA512 strings [3]. Users should update libsolv to a version containing this patch. Red Hat has assigned this CVE with medium severity and is tracking it in Bugzilla [2]. As of the publication date (2026-05-20), no EOL or KEV listing has been noted, and the fix is pending inclusion in downstream distributions.

References
  1. cve-details
  2. Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
  3. Fix a buffer overflow when copying SHA-384/512 checksum from a Debian repository by ppisar · Pull Request #616 · openSUSE/libsolv

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.