The update for libsolv, libzypp, and zypper resolves seven distinct vulnerabilities: CVE-2026-9149 (heap buffer overflow via negative maxsize in .solv files), CVE-2026-9150 (stack buffer overflow in Debian metadata parser handling SHA384/SHA512 checksums), CVE-2026-25707 (arbitrary local file overwrite via crafted repo metadata), CVE-2026-44933 (prevention of script escape from signature verification directory), CVE-2026-44941 and CVE-2026-44942 (path traversal via 'keyhint' and .repo file path entries), and CVE-2026-48863 (buffer overflow parsing EdDSA signatures). The libzypp component was updated to version 17.38.13 with enhanced validation to disallow repo paths outside the base URL and discard metadata entries that would reference locations outside the local cache. libsolv was updated to version 0.7.39 with improved robustness against corrupt files and added limit checks to prevent overflows. These changes collectively improve security by preventing memory corruption, unauthorized file writes, and path traversal attacks in repository handling.

Exploitation of these vulnerabilities could lead to memory corruption (heap and stack buffer overflows), application crashes, and unauthorized overwriting of local files. Path traversal issues could allow attackers to access or modify files outside intended directories. These vulnerabilities affect the integrity and stability of package management operations, potentially enabling local attackers to compromise system security or disrupt package management processes.

An official security update is available that addresses all listed vulnerabilities. Users should apply the update to libsolv, libzypp, and zypper as provided by the SUSE Product Security Team. The update enforces path restrictions, sanitizes repository metadata, and fixes buffer overflow conditions. No additional mitigation steps are required beyond applying the official update.