CVE-2026-44605
Public on 2026-07-01
Modified on 2026-07-01
Description
A heap buffer overflow exists in RPM's NDB database backend (lib/backend/ndb/rpmpkg.c) due to unchecked 32-bit arithmetic when parsing the slot table. The slotnpages value is read directly from the on-disk NDB header and used in a 32-bit multiplication (slotnpages * (PAGE_SIZE / SLOT_SIZE)) to size a heap allocation. A crafted Packages.db can supply a slotnpages value that wraps this product to a small number, causing xcalloc to allocate an undersized buffer. The subsequent loop iterates over the full unwrapped page count, writing pkgslot entries past the heap boundary before per-slot validation runs. Exploitation requires the victim to open a crafted NDB database file with RPM tooling, and NDB is not the default backend in Fedora or RHEL (both default to sqlite).
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Mock2 Extra | compat-rpm-411 | Not Affected | ||
| Amazon Linux 2 - Core | rpm | Not Affected | ||
| Amazon Linux 2 - Mock2 Extra | rpm | Not Affected | ||
| Amazon Linux 2023 | rpm | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |