Bug 2460975 (CVE-2026-48863) - CVE-2026-48863 libsolv: Stack-based buffer overflow in libsolv EdDSA PGP signature verification allows denial of service
Summary: CVE-2026-48863 libsolv: Stack-based buffer overflow in libsolv EdDSA PGP sign...
Keywords:
Status: NEW
Alias: CVE-2026-48863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-23 00:58 UTC by OSIDB Bzimport
Modified: 2026-05-26 18:54 UTC (History)
23 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-23 00:58:13 UTC
AI_ONLY_REPORT
package: libsolv-0.7.33-2.el10
------
Summary: Stack-based Buffer Overflow in EdDSA PGP Verification: libsolv  
uses `rlen` instead of `slen` when copying the EdDSA `s` MPI into a 64-byte  
stack buffer, allowing crafted Ed25519 signatures with mismatched MPI  
lengths to overflow the buffer by up to 31 bytes during PGP verification.
Requirements to exploit: An attacker must get a vulnerable libsolv consumer  
to verify a crafted EdDSA/Ed25519 PGP signature through `solv_pgpvrfy()`.  
The affected build must include `ENABLE_PGPVRFY` and Ed25519 support; in  
common package or repository signature-processing workflows,  
attacker-controlled signed content or metadata may be verified  
automatically once delivered.
Component affected: libsolv - `ext/solv_pgpvrfy.c` (`solv_pgpvrfy()` EdDSA  
verification path)
Version affected: `libsolv-0.7.33-2.el10` is confirmed vulnerable. Broader  
version bounds could not be determined from the provided snapshot, but  
builds containing the same `memcpy(sigdata + 64 - slen, s, rlen)` line and  
compiled with `ENABLE_PGPVRFY` and `ENABLE_PGPVRFY_ED25519` are likely  
affected.
Patch available: Proposed fix included below; upstream release status  
unknown.
Version fixed (if any already): unknown
Upstream coordination: Not yet notified. A private disclosure draft is  
available.
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 (HIGH)
AV:N - In common libsolv consumer workflows, signed repository or  
package data can be delivered over the network for automatic verification.
AC:L - The issue is triggered by malformed EdDSA MPI lengths; no race or  
unusual precondition is required.
PR:N - The attacker needs no privileges on the target system.
UI:N - Signature verification can occur automatically when the signed  
content or metadata is processed.
S:U  - The overwrite occurs within the verifying process.
C:N  - No confidentiality impact was demonstrated.
I:N  - No integrity impact was demonstrated.
A:H  - Further review confirmed a reachable stack overwrite with  
reliable crash potential; impact beyond denial of service remains unproven.
Impact: Likely Important. This is a real memory-safety flaw in  
signature-verification code that processes attacker-controlled PGP  
signature data. Further review confirmed the out-of-bounds stack write is  
reachable and can plausibly cause denial of service in automated package or  
repository processing, but the report does not demonstrate code execution  
or direct confidentiality or integrity impact.
Embargo: yes
Reason: This is a real memory-corruption issue in signature-verification  
code with no known upstream fix. Even though impact beyond denial of  
service is unproven, coordinated disclosure is appropriate until  
maintainers can assess and patch it.
Suggested public date: 16-Jul-2026
Acknowledgement: Aisle Research
Steps to reproduce:
1. Build libsolv with AddressSanitizer and with PGP verification enabled  
(`ENABLE_PGPVRFY=ON`; Ed25519 support is enabled by default in source).
2. Invoke `solv_pgpvrfy(pub, publ, sig, sigl)` with an EdDSA public key  
(`pub[0] = 22`) that contains the expected Ed25519 OID/check bytes and a  
32-byte public key payload, and a signature where `sig[0] = 22`, `sig[1] =  
8` (SHA-256), the hash prefix is 32 bytes, the `r` MPI has bit length  
`0x0100` and 32 non-zero bytes, and the `s` MPI has bit length `0x0001` and  
a single non-zero byte.
3. After the hash prefix, use the following minimal triggering layout  
for the signature MPIs:
```text
[r MPI: 0x01 0x00 | 32 bytes]
[s MPI: 0x00 0x01 | 0x01]
```
4. During verification, execution reaches `memcpy(sigdata + 64 - slen,  
s, rlen)`; when `rlen > slen`, the copy writes past the end of `sigdata`.
5. With ASan enabled, expect a `stack-buffer-overflow` report at this  
copy site.


Vulnerability Details






In `ext/solv_pgpvrfy.c`, `r` and `s` are parsed independently, so their  
lengths can differ before the Ed25519 formatting step:
```c
r = findmpi(&mpi, &mpil, 256, &rlen);
s = findmpi(&mpi, &mpil, 256, &slen);
...
rlen = (rlen + 7) / 8;
slen = (slen + 7) / 8;
if (rlen)
memcpy(sigdata + 32 - rlen, r, rlen);
if (slen)
memcpy(sigdata + 64 - slen, s, rlen);
```
If `rlen = 32` and `slen = 1`, the second `memcpy` starts at `sigdata + 63`  
and copies 32 bytes, overflowing the 64-byte stack buffer by 31 bytes.  
Further review also traced attacker-controlled signature bytes into this  
path through libsolv's signature-verification code in `repo_pubkey.c` and  
found that malformed packets are not rejected before this copy.
Most relevant CWEs:
`CWE-121` Stack-based Buffer Overflow

`CWE-787` Out-of-bounds Write

`CWE-805` Buffer Access with Incorrect Length Value




Proposed Fix






```diff
diff --git a/ext/solv_pgpvrfy.c b/ext/solv_pgpvrfy.c
@@ -586,10 +586,12 @@
memset(sigdata, 0, 64);
rlen = (rlen + 7) / 8;
slen = (slen + 7) / 8;
+        if (rlen != 32 || slen != 32)
+          return 0;
if (rlen)
memcpy(sigdata + 32 - rlen, r, rlen);
if (slen)
         memcpy(sigdata + 64 - slen, s, rlen);
+          memcpy(sigdata + 64 - slen, s, slen);
          res = mped25519(pub + 1 + 10 + 2 + 1, sigdata, sig + 2, hashl);
```


------
This report was generated using AI technology. Always review AI-generated  
content prior to use

Comment 2 Petr Pisar 2026-05-25 07:48:19 UTC
Upstream confirmed this bug:

> Regarding 2460975: That's a valid bug, but is's in solv_pgpvrfy.c
> which is not enabled by default and I certainly don't know of
> any distribution that uses this. I'll drop the code completely in
> the next mayor release.
> [...]
> Hmm, I mis-remembered. It *is* enabled if you build for SUSE. Still
> I don't know of anybody actually using it. libzypp certainly
> doesn't use it.
> [...]
> Btw, will you guys create a CVE for this bug?

Comment 3 Petr Pisar 2026-05-26 16:01:50 UTC
Fixed in upstream with:

commit 44f8c085045b1f771641091bbb2b810d12cff9e8
Author: Michael Schroeder <mls>
Date:   Tue May 26 10:30:31 2026 +0200

    Fix wrong variable being used in solv_pgpvrfy

and included in 0.7.38 upstream release.


Note You need to log in before you can comment on or make changes to this bug.