DEBIAN-CVE-2026-9149

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-9149

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9149.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-9149

Upstream

CVE-2026-9149

Published

2026-05-21T00:16:35.630Z

Modified

2026-06-11T09:04:22.631681865Z

Summary

[none]

Details

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

References

https://security-tracker.debian.org/tracker/CVE-2026-9149

Affected packages

Debian:11 / libsolv

Package

Name: libsolv
Purl: pkg:deb/debian/libsolv?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.17-1

0.7.17-1+deb11u1

0.7.17-2

0.7.20-1

0.7.21-1

0.7.22-1

0.7.23-1

0.7.24-1

0.7.25-1

0.7.26-1

0.7.26-2

0.7.27-1

0.7.27-2

0.7.28-1

0.7.28-1.1~exp1

0.7.29-1

0.7.30-1

0.7.30-2

0.7.31-1

0.7.32-1

0.7.35-1

0.7.36-1

0.7.37-1

0.7.38-1

0.7.39-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9149.json"

Debian:12 / libsolv

Package

Name: libsolv
Purl: pkg:deb/debian/libsolv?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.23-1

0.7.23-1+deb12u1

0.7.24-1

0.7.25-1

0.7.26-1

0.7.26-2

0.7.27-1

0.7.27-2

0.7.28-1

0.7.28-1.1~exp1

0.7.29-1

0.7.30-1

0.7.30-2

0.7.31-1

0.7.32-1

0.7.35-1

0.7.36-1

0.7.37-1

0.7.38-1

0.7.39-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9149.json"

Debian:13 / libsolv

Package

Name: libsolv
Purl: pkg:deb/debian/libsolv?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.32-1

0.7.35-1

0.7.36-1

0.7.37-1

0.7.38-1

0.7.39-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9149.json"

Debian:14 / libsolv

Package

Name: libsolv
Purl: pkg:deb/debian/libsolv?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.38-1

Affected versions

0.*

0.7.32-1

0.7.35-1

0.7.36-1

0.7.37-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-9149.json"