CVE-2026-9149 Overview
CVE-2026-9149 is a heap buffer overflow vulnerability in libsolv, the library used by package managers such as DNF and Zypper to resolve package dependencies. The flaw resides in the repo_add_solv function, which fails to validate negative size values when parsing .solv files. A crafted .solv file triggers an undersized memory allocation followed by an out-of-bounds write on the heap. An attacker who convinces a victim to process a malicious .solv file can cause a denial of service (DoS). The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow).
Critical Impact
Processing a crafted .solv file leads to heap memory corruption and application crash, disrupting package management operations on affected Linux systems.
Affected Products
- libsolv (openSUSE upstream project)
- Red Hat Enterprise Linux distributions bundling vulnerable libsolv versions
- Package managers and tooling that link against libsolv (DNF, Zypper, PackageKit)
Discovery Timeline
- 2026-05-21 - CVE-2026-9149 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-9149
Vulnerability Analysis
The vulnerability resides in the repo_add_solv function inside libsolv. This function parses binary .solv files containing serialized repository metadata. The parser reads size fields from the input file and uses them to allocate buffers for subsequent data. The function does not validate that these size fields are non-negative before passing them to the allocator. When a negative value is interpreted as a signed integer and converted for allocation, it produces an undersized or zero-sized buffer. Later write operations then exceed the allocated boundary and corrupt adjacent heap memory. The result is process termination or undefined behavior in the consuming application.
Root Cause
The root cause is missing input validation on size fields read from untrusted .solv files. The code assumes well-formed input from the repository tooling, but the .solv format can be crafted offline. Negative size values bypass implicit non-negativity assumptions in allocation math, producing the undersized buffer that the parser later overruns. The upstream fix in GitHub Pull Request #617 adds bounds checks that reject negative or implausible size values before allocation.
Attack Vector
Exploitation requires user interaction, as indicated by the CVSS vector component UI:R. An attacker delivers a malicious .solv file through a compromised repository mirror, a crafted package archive, or a social engineering channel. When the victim runs a package manager operation that loads the file via libsolv, the parser triggers the heap overflow. The attack does not require authentication and can be staged remotely by hosting the malicious file on a network-accessible resource. The confirmed impact is denial of service through process crash. Refer to the Red Hat CVE Advisory and Red Hat Bugzilla Report for vendor analysis.
Detection Methods for CVE-2026-9149
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes linking libsolv, such as dnf, zypper, microdnf, or packagekitd.
- .solv files in repository cache directories such as /var/cache/dnf/ or /var/cache/zypp/ originating from untrusted mirrors.
- Core dumps referencing repo_add_solv in the call stack.
Detection Strategies
- Monitor package manager processes for abnormal termination, signal SIGSEGV, or heap corruption messages in dmesg and journalctl output.
- Audit configured repository sources and verify that .solv cache files come from signed, trusted mirrors.
- Run AddressSanitizer-instrumented builds of libsolv in test environments to flag heap-buffer-overflow events during repository refresh.
Monitoring Recommendations
- Forward system logs and crash reports to a centralized logging platform and alert on repeated failures in libsolv-linked binaries.
- Track file integrity of .solv cache files and flag unexpected modifications outside scheduled dnf makecache or zypper refresh operations.
- Inventory hosts running affected libsolv versions and prioritize them for patching.
How to Mitigate CVE-2026-9149
Immediate Actions Required
- Apply vendor-provided libsolv updates as soon as they are published by your Linux distribution.
- Restrict package manager operations to signed, trusted repository mirrors and disable third-party repositories of unknown provenance.
- Clear existing .solv cache files originating from untrusted sources using dnf clean all or zypper clean --all.
Patch Information
The upstream fix is available in the GitHub Pull Request for libsolv, which adds validation for size values parsed by repo_add_solv. Distribution-specific patches are tracked in the Red Hat CVE Advisory. Apply distribution updates through dnf update libsolv or zypper update libsolv once the patched package is available in your channel.
Workarounds
- Avoid running package management commands that consume .solv files from untrusted sources until patches are applied.
- Configure repository definitions to require GPG signature verification with gpgcheck=1 and repo_gpgcheck=1 in .repo files.
- Restrict write access to repository cache directories so only privileged update processes can modify .solv files.
# Configuration example: enforce signature verification in DNF repo files
# /etc/yum.repos.d/example.repo
[example]
name=Example Repository
baseurl=https://repo.example.com/path/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://repo.example.com/RPM-GPG-KEY-example
# Clear potentially malicious cached .solv files
sudo dnf clean all
sudo dnf makecache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
