Bug 2482481 (CVE-2026-44605) - CVE-2026-44605 rpm: heap buffer overflow in NDB slot table parsing
Summary: CVE-2026-44605 rpm: heap buffer overflow in NDB slot table parsing
Keywords:
Status: NEW
Alias: CVE-2026-44605
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2482482 2482483
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 05:41 UTC by OSIDB Bzimport
Modified: 2026-06-29 12:36 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 05:41:49 UTC
A heap buffer overflow exists in RPM's NDB database backend (lib/backend/ndb/rpmpkg.c) due to unchecked 32-bit arithmetic when parsing the slot table. The slotnpages value is read directly from the on-disk NDB header and used in a 32-bit multiplication (slotnpages * (PAGE_SIZE / SLOT_SIZE)) to size a heap allocation. A crafted Packages.db can supply a slotnpages value that wraps this product to a small number, causing xcalloc to allocate an undersized buffer. The subsequent loop iterates over the full unwrapped page count, writing pkgslot entries past the heap boundary before per-slot validation runs. Exploitation requires the victim to open a crafted NDB database file with RPM tooling, and NDB is not the default backend in Fedora or RHEL (both default to sqlite).


Note You need to log in before you can comment on or make changes to this bug.