Nixpkgs security tracker

Untriaged

Permalink CVE-2026-9150

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 1 week, 4 days ago Activity log

Created suggestion 1 week, 4 days ago

Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

References

https://access.redhat.com/security/cve/CVE-2026-9150 vdb-entryx_refsource_REDHAT
RHBZ#2460379 x_refsource_REDHATissue-tracking
https://github.com/openSUSE/libsolv/pull/616

Affected products

rhcos

libsolv

satellite-capsule:el8/libsolv

Matching in nixpkgs

pkgs.libsolv

Free package dependency solver

nixos-unstable 0.7.35
- nixpkgs-unstable 0.7.36
- nixos-unstable-small 0.7.36
nixos-25.11 0.7.35
- nixos-25.11-small 0.7.35
- nixpkgs-25.11-darwin 0.7.35

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.libsolv