Description
A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A remote attacker could craft a malicious Ed25519 PGP signature with mismatched MPI lengths. Processing this crafted signature could lead to a denial of service in automated package or repository processing workflows.
Published: n/a
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Libsolv contains a stack‑based buffer overflow in the PGP verification component due to incorrect length handling when copying the 's' MPI of an EdDSA signature into a stack buffer. The flaw allows a remote attacker to craft a malicious Ed25519 PGP signature with mismatched MPI lengths, which can trigger the overflow during verification and terminate the process. This results in a denial of service to automated package or repository processing workflows without affecting confidentiality or integrity.

Affected Systems

The CVE entry does not list specific distributors or product versions. libsolv is a library used in many Linux distribution package managers and related tools. Any installation that relies on an unpatched version of libsolv for handling PGP signatures could be affected. Based on the description, it is inferred that the vulnerability impacts those systems that automatically process PGP‑signed packages or repositories.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The flaw is exploitable remotely by an attacker who can supply a crafted EdDSA PGP signature to the verification routine. The attack requires only malicious input and can be carried out within automated package or repository processing workflows, potentially impacting availability of systems that depend on libsolv.

Generated by OpenCVE AI on May 27, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libsolv to the latest patched release as soon as it becomes available.
  • If an update cannot be performed immediately, disable EdDSA signature verification or enforce stricter validation where possible to prevent malformed signatures from being processed.
  • Monitor package and repository processing logs for abnormal or malformed PGP signatures that could indicate an attempted exploitation.

Generated by OpenCVE AI on May 27, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Libsolv
Libsolv libsolv
Vendors & Products Libsolv
Libsolv libsolv

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A remote attacker could craft a malicious Ed25519 PGP signature with mismatched MPI lengths. Processing this crafted signature could lead to a denial of service in automated package or repository processing workflows.
Title libsolv: Stack-based buffer overflow in libsolv EdDSA PGP signature verification allows denial of service
Weaknesses CWE-121
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Libsolv Libsolv
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-26T18:53:04Z

Links: CVE-2026-48863 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:42Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow