Detections
Analytics

SUSE SLED15: libsolv-devel / libsolv-tools / libsolv-tools-base / libzypp / etc (SUSE-SU-2026:2575-1)

high Nessus Plugin ID 322932

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2575-1 advisory.

 This update for libsolv, libzypp, zypper fixes the following issues

 - CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file (bsc#1265935).
 - CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums (bsc#1265938).
 - CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
 - CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
 - CVE-2026-44941: path traversal via 'keyhint' (bsc#1267426).
 - CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
 - CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature (bsc#1266039).

 Changes in libzypp:

 Updated to version 17.38.13 (35):

 - A .repo files 'path=' entry must not refer to a location outside the repo (bsc#1267874, CVE-2026-44942) A 'path=' entry may solely denote a sub-directory of the baseurl where the metadata are located. A relative path trying to access data outside the baseurl is reported and sanitized.
 - Fix potential crash on malformed or malicious repository metadata (fixes #740)
 - Repo metadata: discard entries referring to a location outside the repo (bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a location outside the repo's local cache directory. Those data entries are reported and discarded.
 - zypp.conf: Allow [env] section to add environment variables.
 This feature is designed to enable environment-specific settings or debugging options over an extended period. See zypp.conf(5).
 - Prevent configured scripts from escaping the sigcheck directory (bsc#1265223, CVE-2026-44933)
 - StringV: guard hasPrefix/hasPrefixCI against reading past the view end (fixes #735)
 - Mandatory signature verification plugin support (PED#11922)
 - Fix purge-kernel -rc kernel handling (bsc#1239718)
 - Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
 - Check for trusted key updates when updating the general keyring (bsc#1259706)
 - Support multiple MirroredOrigin authorities (bsc#1253193)
 - Workaround doxygen bug: doxygen/doxygen#12057
 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
 - Fix preloader not caching packages from arch specific subrepos (bsc#1253740)
 - Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
 - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages.
 - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
 - Fall back to a writable location when precaching packages without root (bsc#1247948)
 - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
 See the ZYPP.CONF(5) man page for details.
 - Fix runtime check for broken rpm --runposttrans (bsc#1257068)
 - Avoid libcurl-mini4 when building as it does not support ftp protocol.
 - Translation: updated .pot file.
 - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
 See the ZYPP.CONF(5) man page for details.
 - cmake: correctly detect rpm6 (fixes #689)
 - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435)
 - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 )

 Changes in libsolv:

 Updated to version 0.7.39:

 - fix solv_chksum_free segfault when called with a NULL pointer
 - made repo_add_solv more robust against corrupt files [bsc#1265935] [CVE-2026-9149]
 - fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039] [CVE-2026-48863]
 - added limit checks in multiple places to catch overflows
 - reduce the size of the language id cache
 - fixed Debian canon selection
 - fixed dbpath detection in repo_rpmdb_librpm
 - reduced stack usage in repo page compression (needed for musl)
 - fix parsing of sha512 checksums in debian repositories [bsc#1265938] [CVE-2026-9150]
 - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast
 - fix parsing of recommends in the old Mandriva synthesis format
 - respect the 'default' attribute in environment optionlist in the comps parser
 - support suse namespace deps in boolean dependencies [bsc#1258193]
 - support for the Elbrus2000 (e2k) architecture
 - support language() suse namespace rewriting

 Changes in zypper:

 Update to version 1.14.98:

 - Transactional systems: Delegate rw-commands to transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the root filesystem is mounted read-only, zypper commands that modify the system cannot be executed directly.
 If the system provides a transactional-wrapper utility, zypper will automatically attempt to invoke it. The wrapper transparently executes the zypper command within a new, writable snapshot and manages the lifecycle of that snapshot based on the command's exit status.
 On transactional systems lacking a transactional-wrapper, users must manually invoke specialized tools -such as transactional-update- to install, update, or remove software.
 - Add --filter-version-change to zypper lu.
 Adds filtering by version change significance to reduce noise in update listings. Supports levels: rebuild (hides rebuild-only changes) and package (hides all release-only changes).
 - Autorefresh ris-services the way as plugin-services (bsc#1246504) It's actually wrong to treat service refreshes different depending on the service type. For the purpose of a service it makes no difference how the data about the repos to use are acquired.
 - Report download progress for command line rpms (fixes #613)
 - Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882)
 - Service: Allow 'zypper ls SERVICE ...' to test whether a service with this alias is defined (bsc#1252744) The command prints an abstract of all services passed on the command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service.
 - Keep repo data when updating the service settings (bsc#1252744)
 - info: Enhance pattern content table (bsc#1158038) Alternatives (multiple packages providing the same requirement) are now listed as a single entry in the content table. The entry shows either the installed package which satisfies the requirement or the requirement itself as type 'Provides'.
 Listing all potential alternatives was miss leading, especially if the alternatives were mutual exclusive. It looked like an installed pattern had not-installed requirements and it was not possible to install all requirements at the same time.

 Original description from SUSE:Maintenance:44536:

 This update for libsolv, libzypp fixes the following issues

 Security issues:

 - CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file (bsc#1265935).
 - CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums (bsc#1265938).
 - CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
 - CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
 - CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
 - CVE-2026-48863: Fix bufffer overflow when parsing EdDSA signature (bsc#1266039).

 Changes in libzypp:

 Updated to version 17.38.13 (35):

 - Fix potential crash on malformed or malicious repository metadata (fixes #740)
 - Repo metadata: discard entries referring to a location outside the repo (bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a location outside the repo's local cache directory. Those data entries are reported and discarded.
 - zypp.conf: Allow [env] section to add environment variables.
 This feature is designed to enable environment-specific settings or debugging options over an extended period. See zypp.conf(5).
 - Prevent configured scripts from escaping the sigcheck directory (bsc#1265223, CVE-2026-44933)
 - StringV: guard hasPrefix/hasPrefixCI against reading past the view end (fixes #735)
 - Mandatory signature verification plugin support (PED#11922)
 - Fix purge-kernel -rc kernel handling (bsc#1239718)
 - Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
 - Check for trusted key updates when updating the general keyring (bsc#1259706)
 - Support multiple MirroredOrigin authorities (bsc#1253193)
 - Workaround doxygen bug: doxygen/doxygen#12057
 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
 - Fix preloader not caching packages from arch specific subrepos (bsc#1253740)
 - Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
 - Fix Product::referencePackage lookup (bsc#1259311) Use a provided autoproduct() as hint to the package name of the release package. It might be that not just multiple versions of the same release package provide the same product version, but also different release packages.
 - specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
 - Fall back to a writable location when precaching packages without root (bsc#1247948)
 - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
 See the ZYPP.CONF(5) man page for details.
 - Fix runtime check for broken rpm --runposttrans (bsc#1257068)
 - Avoid libcurl-mini4 when building as it does not support ftp protocol.
 - Translation: updated .pot file.
 - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
 See the ZYPP.CONF(5) man page for details.
 - cmake: correctly detect rpm6 (fixes #689)
 - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435)
 - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 )

 Changes in libsolv:

 Updated to version 0.7.39:

 - fix solv_chksum_free segfault when called with a NULL pointer
 - made repo_add_solv more robust against corrupt files [bsc#1265935] [CVE-2026-9149]
 - fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039] [CVE-2026-48863]
 - added limit checks in multiple places to catch overflows
 - reduce the size of the language id cache
 - fixed Debian canon selection
 - fixed dbpath detection in repo_rpmdb_librpm
 - reduced stack usage in repo page compression (needed for musl)
 - fix parsing of sha512 checksums in debian repositories [bsc#1265938] [CVE-2026-9150]
 - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast
 - fix parsing of recommends in the old Mandriva synthesis format
 - respect the 'default' attribute in environment optionlist in the comps parser
 - support suse namespace deps in boolean dependencies [bsc#1258193]
 - support for the Elbrus2000 (e2k) architecture
 - support language() suse namespace rewriting

 Update to version 1.14.98:

 - Transactional systems: Delegate rw-commands to transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the root filesystem is mounted read-only, zypper commands that modify the system cannot be executed directly.
 If the system provides a transactional-wrapper utility, zypper will automatically attempt to invoke it. The wrapper transparently executes the zypper command within a new, writable snapshot and manages the lifecycle of that snapshot based on the command's exit status.
 On transactional systems lacking a transactional-wrapper, users must manually invoke specialized tools -such as transactional-update- to install, update, or remove software.
 - Add --filter-version-change to zypper lu.
 Adds filtering by version change significance to reduce noise in update listings. Supports levels: rebuild (hides rebuild-only changes) and package (hides all release-only changes).
 - Autorefresh ris-services the way as plugin-services (bsc#1246504) It's actually wrong to treat service refreshes different depending on the service type. For the purpose of a service it makes no difference how the data about the repos to use are acquired.
 - Report download progress for command line rpms (fixes #613)
 - Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882)
 - Service: Allow 'zypper ls SERVICE ...' to test whether a service with this alias is defined (bsc#1252744) The command prints an abstract of all services passed on the command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service.
 - Keep repo data when updating the service settings (bsc#1252744)
 - info: Enhance pattern content table (bsc#1158038) Alternatives (multiple packages providing the same requirement) are now listed as a single entry in the content table. The entry shows either the installed package which satisfies the requirement or the requirement itself as type 'Provides'.
 Listing all potential alternatives was miss leading, especially if the alternatives were mutual exclusive. It looked like an installed pattern had not-installed requirements and it was not possible to install all requirements at the same time.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1158038

https://bugzilla.suse.com/1239718

https://bugzilla.suse.com/1246504

https://bugzilla.suse.com/1247948

https://bugzilla.suse.com/1249435

https://bugzilla.suse.com/1252744

https://bugzilla.suse.com/1253193

https://bugzilla.suse.com/1253740

https://bugzilla.suse.com/1257068

https://bugzilla.suse.com/1257882

https://bugzilla.suse.com/1258193

https://bugzilla.suse.com/1259311

https://bugzilla.suse.com/1259706

https://bugzilla.suse.com/1259802

https://bugzilla.suse.com/1259842

https://bugzilla.suse.com/1265223

https://bugzilla.suse.com/1265935

https://bugzilla.suse.com/1265938

https://bugzilla.suse.com/1266039

https://bugzilla.suse.com/1267426

https://bugzilla.suse.com/1267874

https://www.suse.com/security/cve/CVE-2026-25707

https://www.suse.com/security/cve/CVE-2026-44933

https://www.suse.com/security/cve/CVE-2026-44941

https://www.suse.com/security/cve/CVE-2026-44942

https://www.suse.com/security/cve/CVE-2026-48863

https://www.suse.com/security/cve/CVE-2026-9149

https://www.suse.com/security/cve/CVE-2026-9150

http://www.nessus.org/u?0f908fdc

Plugin Details

Severity: High

ID: 322932

File Name: suse_SU-2026-2575-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2026-44941

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-9149

CVSS v4

Risk Factor: High

Base Score: 8.5

Threat Score: 5.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-44933

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:zypper, p-cpe:/a:novell:suse_linux:libsolv-tools-base, p-cpe:/a:novell:suse_linux:libsolv-devel, p-cpe:/a:novell:suse_linux:zypper-log, p-cpe:/a:novell:suse_linux:perl-solv, p-cpe:/a:novell:suse_linux:libzypp, p-cpe:/a:novell:suse_linux:libsolv-tools, p-cpe:/a:novell:suse_linux:zypper-needs-restarting, p-cpe:/a:novell:suse_linux:ruby-solv, p-cpe:/a:novell:suse_linux:python3-solv, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libzypp-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/23/2026

Vulnerability Publication Date: 5/20/2026

Reference Information

CVE: CVE-2026-25707, CVE-2026-44933, CVE-2026-44941, CVE-2026-44942, CVE-2026-48863, CVE-2026-9149, CVE-2026-9150

SuSE: SUSE-SU-2026:2575-1