CVE-2026-9150 is a stack-based buffer overflow vulnerability in libsolv, an open-source dependency resolution library, specifically within its Debian metadata parser when processing SHA-384 or SHA-512 checksums. An attacker who can supply malicious package metadata could potentially trigger the overflow to execute arbitrary code or crash affected services. This vulnerability is relevant to Azure environments that rely on libsolv for package management operations, such as those running Linux-based workloads or services that consume package repositories.

Architect’s Take: Identify any Azure Linux VMs, container images, or managed services (such as Azure Kubernetes Service nodes) that use libsolv for dependency resolution, and prioritise patching to the remediated version. In the interim, consider restricting access to untrusted or external package repositories to reduce exposure.

Original advisory: CVE-2026-9150 Libsolv: stack-based buffer overflow in libsolv’s debian metadata parser when handling sha384/sha512 checksums