CVE-2026-48863
Received Received - Intake

Stack-Based Buffer Overflow in libsolv PGP Verification

Vulnerability report for CVE-2026-48863, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Red Hat, Inc.

Description

A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A remote attacker could craft a malicious Ed25519 PGP signature with mismatched MPI lengths. Processing this crafted signature could lead to a denial of service in automated package or repository processing workflows.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opensuse libsolv 0.7.38

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48863 is a stack-based buffer overflow in libsolv's EdDSA PGP signature verification. It occurs when processing Ed25519 signatures due to incorrect length handling. The code copies the 's' component of the signature using the wrong length variable, causing a buffer overflow of up to 31 bytes.

Impact Analysis

This vulnerability can lead to denial of service in automated package or repository processing workflows where signed content is verified. If exploited, it may crash systems processing malicious Ed25519 PGP signatures, disrupting software updates or package installations.

Detection Guidance

To detect this vulnerability, check the version of libsolv installed on your system. Run 'rpm -q libsolv' on RPM-based systems or 'dpkg -l libsolv' on Debian-based systems. If the version is below 0.7.38, the system is vulnerable. Additionally, inspect PGP signature verification logs for crashes or errors during Ed25519 signature processing.

Mitigation Strategies

Immediately update libsolv to version 0.7.38 or later. If updating is not possible, disable Ed25519 PGP signature verification in libsolv by recompiling with ENABLE_PGPVRFY disabled. Monitor automated package or repository processing workflows for signs of exploitation or crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart