PatchSiren cyber security CVE debrief
CVE-2026-9150 Red Hat CVE debrief
CVE-2026-9150 describes a stack-based buffer overflow in libsolv’s Debian metadata parser. According to the supplied record, specially crafted Debian repository metadata containing malicious SHA384 or SHA512 checksum tags can lead to memory corruption and a denial of service. NVD lists the issue with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network reachability, no privileges required, and high availability impact.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Security teams that operate Linux package-management workflows, maintain Debian-based repositories or mirrors, or ship software that depends on libsolv should review this issue. Distribution maintainers and platform owners who ingest repository metadata from external or less-trusted sources should prioritize patching and validation.
Technical summary
The supplied sources identify a CWE-121 stack-based buffer overflow in libsolv’s Debian metadata parser. The flaw is triggered while processing specially crafted Debian repository metadata, and the reported condition specifically mentions malicious SHA384 or SHA512 checksum tags. The expected impact in the record is memory corruption with denial of service, and the NVD CVSS vector reflects a user-interaction requirement with high availability impact.
Defensive priority
Medium priority overall, but higher for environments that regularly process Debian repository metadata through libsolv. Apply vendor or upstream fixes promptly in package-management stacks, especially where repository metadata can be influenced by third parties.
Recommended defensive actions
- Apply the vendor or distribution package update that contains the libsolv fix as soon as it is available.
- Review systems that parse Debian repository metadata with libsolv, including package managers, build systems, and mirror infrastructure.
- Prefer trusted, signed repository metadata and restrict ingestion from untrusted or unaudited sources.
- Monitor for crashes or instability in package-management tooling and validate that patched builds resolve the issue.
- Track Red Hat and upstream openSUSE/libsolv references for remediation guidance and packaged fixes.
Evidence notes
The evidence corpus links this CVE to NVD’s official record and to Red Hat references, including a security advisory, a Bugzilla report, and an upstream openSUSE/libsolv pull request. The NVD entry lists the vulnerability as Received and provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-121. The record date supplied is 2026-05-20T23:16:36.010Z.
Official resources
Published in the supplied NVD record on 2026-05-20T23:16:36.010Z. Supporting references include Red Hat security and Bugzilla pages and an upstream openSUSE/libsolv pull request. The vendor mapping in the supplied metadata is uncertain and,