CVE-2026-9149 is a heap buffer overflow vulnerability in libsolv, an open-source dependency resolver library used in Linux package management. The flaw can be triggered by a specially crafted .solv file that supplies a negative maxsize value, causing memory corruption in the repo_add_solv function. This matters because libsolv is widely used in Linux-based environments, including Azure workloads, and memory corruption bugs of this nature can potentially lead to arbitrary code execution.

Architect’s Take: Identify any Azure-hosted Linux workloads, containers, or pipelines that use libsolv or package managers dependent on it (such as zypper or libdnf), and prioritise patching to the fixed version. Additionally, restrict the ingestion of untrusted .solv files within your build and dependency management pipelines to reduce attack surface.

Original advisory: CVE-2026-9149 Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file

CVE-2026-9150 is a stack-based buffer overflow vulnerability in libsolv, an open-source dependency resolution library, specifically within its Debian metadata parser when processing SHA-384 or SHA-512 checksums. An attacker who can supply malicious package metadata could potentially trigger the overflow to execute arbitrary code or crash affected services. This vulnerability is relevant to Azure environments that rely on libsolv for package management operations, such as those running Linux-based workloads or services that consume package repositories.

Architect’s Take: Identify any Azure Linux VMs, container images, or managed services (such as Azure Kubernetes Service nodes) that use libsolv for dependency resolution, and prioritise patching to the remediated version. In the interim, consider restricting access to untrusted or external package repositories to reduce exposure.

Original advisory: CVE-2026-9150 Libsolv: stack-based buffer overflow in libsolv’s debian metadata parser when handling sha384/sha512 checksums