CVE-2026-9150 PUBLISHED

Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums

Assigner: redhat
Reserved: 20.05.2026 Published: 20.05.2026 Updated: 21.05.2026

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 6.5

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected
Vendor Red Hat
Product Red Hat Hardened Images
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat Satellite 6
Versions Default: affected
Vendor Red Hat
Product Red Hat Update Infrastructure 4 for Cloud Providers
Versions Default: affected

Workarounds

To mitigate this issue, ensure that libsolv only processes trusted and cryptographically signed Debian repository metadata. Avoid ingesting or processing Packages files from untrusted or unverified sources.

Credits

  • This issue was discovered by Found by AISLE in partnership with Red Hat.

References

Problem Types

  • Stack-based Buffer Overflow CWE