Red Hat Security Advisory: libsolv security update
Multiple security vulnerabilities have been identified in the libsolv library used for resolving package dependencies. These include a stack-based buffer overflow in the Debian metadata parser when handling SHA384/SHA512 checksums (CVE-2026-9150), and two heap buffer overflows: one in repo_add_solv triggered by a negative maxsize from a crafted .solv file (CVE-2026-9149), and another in repopagestore caused by unchecked decompression of malicious .solv page data (CVE-2026-48864). Red Hat has released security updates addressing these issues in Red Hat Enterprise Linux 10 and related products. The vulnerabilities have been rated with moderate severity by Red Hat Product Security.
AI Analysis
Technical Summary
The libsolv library, which provides package dependency resolution using a satisfiability algorithm, contains three distinct buffer overflow vulnerabilities. CVE-2026-9150 is a stack-based buffer overflow in the Debian metadata parser related to SHA384/SHA512 checksum handling. CVE-2026-9149 is a heap buffer overflow in the repo_add_solv function caused by a crafted .solv file with a negative maxsize value. CVE-2026-48864 is another heap buffer overflow in repopagestore due to unchecked decompression of malicious .solv page data. These vulnerabilities could potentially lead to memory corruption. Red Hat has issued a security advisory (RHSA-2026:28236) providing updated libsolv packages for Red Hat Enterprise Linux 10 and related variants to remediate these issues.
Potential Impact
These vulnerabilities involve stack and heap buffer overflows that could lead to memory corruption within the libsolv library. Such memory corruption may cause application crashes or potentially allow execution of arbitrary code if exploited. The advisory rates the overall security impact as moderate. There are no known exploits in the wild at this time.
Mitigation Recommendations
Red Hat has released updated libsolv packages that address these vulnerabilities for Red Hat Enterprise Linux 10 and related products. Users should apply the official security update as detailed in Red Hat advisory RHSA-2026:28236 and the referenced article https://access.redhat.com/articles/11258. Applying this update will remediate the buffer overflow issues. No additional mitigation steps are indicated by the vendor.
Red Hat Security Advisory: libsolv security update
Description
Multiple security vulnerabilities have been identified in the libsolv library used for resolving package dependencies. These include a stack-based buffer overflow in the Debian metadata parser when handling SHA384/SHA512 checksums (CVE-2026-9150), and two heap buffer overflows: one in repo_add_solv triggered by a negative maxsize from a crafted .solv file (CVE-2026-9149), and another in repopagestore caused by unchecked decompression of malicious .solv page data (CVE-2026-48864). Red Hat has released security updates addressing these issues in Red Hat Enterprise Linux 10 and related products. The vulnerabilities have been rated with moderate severity by Red Hat Product Security.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The libsolv library, which provides package dependency resolution using a satisfiability algorithm, contains three distinct buffer overflow vulnerabilities. CVE-2026-9150 is a stack-based buffer overflow in the Debian metadata parser related to SHA384/SHA512 checksum handling. CVE-2026-9149 is a heap buffer overflow in the repo_add_solv function caused by a crafted .solv file with a negative maxsize value. CVE-2026-48864 is another heap buffer overflow in repopagestore due to unchecked decompression of malicious .solv page data. These vulnerabilities could potentially lead to memory corruption. Red Hat has issued a security advisory (RHSA-2026:28236) providing updated libsolv packages for Red Hat Enterprise Linux 10 and related variants to remediate these issues.
Potential Impact
These vulnerabilities involve stack and heap buffer overflows that could lead to memory corruption within the libsolv library. Such memory corruption may cause application crashes or potentially allow execution of arbitrary code if exploited. The advisory rates the overall security impact as moderate. There are no known exploits in the wild at this time.
Mitigation Recommendations
Red Hat has released updated libsolv packages that address these vulnerabilities for Red Hat Enterprise Linux 10 and related products. Users should apply the official security update as detailed in Red Hat advisory RHSA-2026:28236 and the referenced article https://access.redhat.com/articles/11258. Applying this update will remediate the buffer overflow issues. No additional mitigation steps are indicated by the vendor.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:28236
- Cve Count
- 3
- Additional Cves
- ["CVE-2026-9150","CVE-2026-48864"]
- Cvss Version
- null
Threat ID: 6a3c0cf3eed863c81e239d0f
Added to database: 06/24/2026, 16:59:31 UTC
Last enriched: 06/24/2026, 17:07:13 UTC
Last updated: 06/24/2026, 19:03:31 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.