ALAS2-2026-3338

Amazon Linux 2 Security Advisory: ALAS2-2026-3338
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Important

References: CVE-2026-48864 CVE-2026-9149 CVE-2026-9150
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. (CVE-2026-48864)

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). (CVE-2026-9149)

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. (CVE-2026-9150)

Affected Packages:

libsolv

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libsolv or yum update --advisory ALAS2-2026-3338 to update your system.

New Packages:

aarch64:
    libsolv-0.6.34-4.amzn2.0.1.aarch64
    libsolv-devel-0.6.34-4.amzn2.0.1.aarch64
    libsolv-tools-0.6.34-4.amzn2.0.1.aarch64
    libsolv-demo-0.6.34-4.amzn2.0.1.aarch64
    python2-solv-0.6.34-4.amzn2.0.1.aarch64
    libsolv-debuginfo-0.6.34-4.amzn2.0.1.aarch64

i686:
    libsolv-0.6.34-4.amzn2.0.1.i686
    libsolv-devel-0.6.34-4.amzn2.0.1.i686
    libsolv-tools-0.6.34-4.amzn2.0.1.i686
    libsolv-demo-0.6.34-4.amzn2.0.1.i686
    python2-solv-0.6.34-4.amzn2.0.1.i686
    libsolv-debuginfo-0.6.34-4.amzn2.0.1.i686

src:
    libsolv-0.6.34-4.amzn2.0.1.src

x86_64:
    libsolv-0.6.34-4.amzn2.0.1.x86_64
    libsolv-devel-0.6.34-4.amzn2.0.1.x86_64
    libsolv-tools-0.6.34-4.amzn2.0.1.x86_64
    libsolv-demo-0.6.34-4.amzn2.0.1.x86_64
    python2-solv-0.6.34-4.amzn2.0.1.x86_64
    libsolv-debuginfo-0.6.34-4.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-48864, CVE-2026-9149, CVE-2026-9150

Mitre: CVE-2026-48864, CVE-2026-9149, CVE-2026-9150