This security update for libsolv, libzypp, and zypper addresses seven vulnerabilities: CVE-2026-9149 (heap buffer overflow via negative maxsize in .solv files), CVE-2026-9150 (stack-based buffer overflow in Debian metadata parser for SHA384/SHA512 checksums), CVE-2026-25707 (arbitrary local file overwrite via crafted repo metadata), CVE-2026-44933 (mandatory signature verification plugin bypass), CVE-2026-44941 (path traversal via 'keyhint'), CVE-2026-44942 (path traversal via .repo file 'path=' entries), and CVE-2026-48863 (buffer overflow parsing EdDSA signatures). The update to libzypp version 17.38.13 and libsolv version 0.7.39 includes sanitization of repository paths to prevent traversal outside the base URL, discarding unsafe metadata entries to prevent local file overwrite, and various robustness improvements to prevent crashes and buffer overflows. These fixes mitigate risks of code execution, data corruption, or denial of service caused by malicious repository metadata or crafted files.

The vulnerabilities could allow attackers to cause buffer overflows leading to potential crashes or arbitrary code execution, overwrite arbitrary local files via crafted repository metadata, and bypass signature verification mechanisms. Path traversal issues could enable unauthorized access or modification of files outside intended directories. These issues collectively pose a high security risk to systems using affected versions of libsolv, libzypp, and zypper, potentially compromising system integrity and security.

A security update fixing these vulnerabilities has been released by the SUSE Product Security Team. Users should apply the update to libsolv (version 0.7.39), libzypp (version 17.38.13), and zypper as provided by their SUSE distribution. The update includes official fixes that sanitize repository paths, discard unsafe metadata, and improve robustness against malformed inputs. No additional mitigation steps are required beyond applying the official update.