🟠High  | Source: Microsoft Security Response Center
CVE-2026-9149 is a heap buffer overflow vulnerability in libsolv, an open-source dependency resolver library used in Linux package management. The flaw can be triggered by a specially crafted .solv file that supplies a negative maxsize value, causing memory corruption in the repo_add_solv function. This matters because libsolv is widely used in Linux-based environments, including Azure workloads, and memory corruption bugs of this nature can potentially lead to arbitrary code execution.
Architect’s Take: Identify any Azure-hosted Linux workloads, containers, or pipelines that use libsolv or package managers dependent on it (such as zypper or libdnf), and prioritise patching to the fixed version. Additionally, restrict the ingestion of untrusted .solv files within your build and dependency management pipelines to reduce attack surface.
Original advisory: CVE-2026-9149 Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file