A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.
CVE-2026-9150
Score 6.5 from GitHub Security Advisory published 2026-05-21. a secondary CVSS source baseline 6.5; sources differ by 0.0.
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 6.5
- EG Score
- 6.5(medium)
- EPSS
- 32.0%
- KEV
- Not listed
Published
May 20, 2026
Last Modified
June 29, 2026
Advisory Details (3)
Auto-updated May 29, 2026Fix a buffer overflow when copying SHA-384/512 checksum from a Debian repository
Fix merged in openSUSE/libsolv PR #616 on 2026-04-22 — awaiting tagged release
https://github.com/openSUSE/libsolv/pull/6162460379 – (CVE-2026-9150) CVE-2026-9150 libsolv: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
https://bugzilla.redhat.com/show_bug.cgi?id=2460379Vendor Advisories for CVE-2026-9150(5)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:30649Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
- RHSA-2026:28236Red Hat Product SecurityMedium
Red Hat Security Advisory: libsolv security update
- CVE-2026-9150Microsoft Security Response Center (MSRC)Medium
Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums
- RHSA-2026:21333Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
- GHSA-p4w9-3pj8-mhq7GitHub Security AdvisoriesMedium
A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's...
Frequently asked(5)
What is CVE-2026-9150?
When was CVE-2026-9150 disclosed?
Is CVE-2026-9150 actively exploited?
What is the CVSS score of CVE-2026-9150?
How do I remediate CVE-2026-9150?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-9150
Is Your Infrastructure Affected by CVE-2026-9150?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.