Detections
Analytics

Amazon Linux 2 : libsolv, --advisory ALAS2-2026-3338 (ALAS-2026-3338)

medium Nessus Plugin ID 319816

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of libsolv installed on the remote host is prior to 0.6.34-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3338 advisory.

 A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker- controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. (CVE-2026-48864)

 A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). (CVE-2026-9149)

 A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. (CVE-2026-9150)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update libsolv' or or 'yum update --advisory ALAS2-2026-3338' to update your system.

See Also

https://alas.aws.amazon.com//AL2/ALAS2-2026-3338.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2026-48864.html

https://explore.alas.aws.amazon.com/CVE-2026-9149.html

https://explore.alas.aws.amazon.com/CVE-2026-9150.html

Plugin Details

Severity: Medium

ID: 319816

File Name: al2_ALAS-2026-3338.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/8/2026

Updated: 6/8/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-9149

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:python2-solv, p-cpe:/a:amazon:linux:libsolv-devel, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:libsolv-demo, p-cpe:/a:amazon:linux:libsolv-tools, p-cpe:/a:amazon:linux:libsolv, p-cpe:/a:amazon:linux:libsolv-debuginfo

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/8/2026

Vulnerability Publication Date: 5/20/2026

Reference Information

CVE: CVE-2026-48864, CVE-2026-9149, CVE-2026-9150