CVE-2026-9149 Red Hat CVE debrief

Who should care

Administrators, distro maintainers, and application developers who ship or embed libsolv, especially in workflows that process .solv files from external or untrusted sources.

Technical summary

The supplied NVD record describes a heap-based buffer overflow (CWE-122) in libsolv’s repo_add_solv function. The trigger is a crafted .solv file with negative size values, which can cause an undersized memory allocation and then an out-of-bounds write. NVD’s CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact is the primary concern and that user interaction is required.

Defensive priority

Patch promptly for any deployment that ingests untrusted .solv files; otherwise schedule as a medium-priority memory-safety fix and backport where applicable.

Recommended defensive actions

• Determine whether libsolv is used directly or through a package-management or repository-processing component.
• Apply the vendor update or downstream backport that contains the fix referenced by the upstream openSUSE/libsolv pull request.
• Treat .solv files from untrusted or external sources as sensitive inputs until patched.
• Monitor affected systems for crashes, abnormal exits, or memory-corruption indicators in components that parse .solv data.
• Rebuild and redeploy dependent packages after applying the relevant fix or backport.

Evidence notes

This debrief is based only on the supplied NVD modified record and the listed official references. The corpus identifies libsolv-related remediation activity via a Red Hat security page, a Red Hat Bugzilla issue, and an upstream openSUSE/libsolv pull request. Vendor/product attribution remains low confidence in the supplied data, so this summary avoids claiming a fully confirmed downstream product impact beyond libsolv.

Official resources