CVE-2026-48863 PUBLISHED

Libsolv: stack-based buffer overflow in libsolv eddsa pgp signature verification allows denial of service

Assigner: redhat
Reserved: 25.05.2026 Published: 16.07.2026 Updated: 16.07.2026

A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A remote attacker could craft a malicious Ed25519 PGP signature with mismatched MPI lengths. Processing this crafted signature could lead to a denial of service in automated package or repository processing workflows.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor OpenSUSE
Product libsolv
Versions Default: unaffected
  • affected from 0.6.4 to 0.7.38 (excl.)
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Hardened Images
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Satellite 6
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Update Infrastructure 4 for Cloud Providers
Versions Default: unaffected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

  • This issue was discovered by AISLE Research and AISLE in partnership with Red Hat.

References

Problem Types

  • Stack-based Buffer Overflow CWE