CVE-2026-2219
published 2026-03-07CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.42%
33.5th percentile
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dpkg | < dpkg 1.23.6 (forky) | dpkg 1.23.6 (forky) |
| debian | dpkg | >= 0 < 1.22.22 | 1.22.22 |
| debian | dpkg | >= 0 < 1.23.6 | 1.23.6 |
| debian | dpkg | >= 1.21.18 < 1.23.6 | 1.23.6 |
| debian | dpkg | >= 1.21.18 < 1.21.23 | 1.21.23 |
| debian | dpkg | >= 1.22.0 < 1.22.22 | 1.22.22 |
| debian | dpkg | >= 1.23.0 < 1.23.6 | 1.23.6 |
| ubuntu | dpkg | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when
osv·2026-03-07·CVSS 7.5
CVE-2026-2219 [HIGH] CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
GHSA
GHSA-x8w5-j8fh-hpvp: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when
ghsa_unreviewed·2026-03-07
CVE-2026-2219 [HIGH] CWE-835 GHSA-x8w5-j8fh-hpvp: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Ubuntu
dpkg vulnerability
vendor_ubuntu·2026-05-07
CVE-2026-2219 dpkg vulnerability
Title: dpkg vulnerability
Summary: dpkg could be made to stop responding if it opened a specially crafted
file.
Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled
certain zstd-compressed .deb archives. If a user or automated system were
tricked into manipulating a specially crafted .deb archive, a remote
attacker could possibly use this issue to cause dpkg-deb to stop
responding, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2026-2219: dpkg - It was discovered that dpkg-deb (a component of dpkg, the Debian package managem...
vendor_debian·2026·CVSS 7.5
CVE-2026-2219 [HIGH] CVE-2026-2219: dpkg - It was discovered that dpkg-deb (a component of dpkg, the Debian package managem...
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Scope: local
bookworm: open
bullseye: resolved
forky: resolved (fixed in 1.23.6)
sid: resolved (fixed in 1.23.6)
trixie: resolved (fixed in 1.22.22)
No detection rules found.
No public exploits indexed.
2026-03-07
Published