cbcvebase.
CVE-2026-2219
published 2026-03-07

CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.42%
33.5th percentile
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandpkg< dpkg 1.23.6 (forky)dpkg 1.23.6 (forky)
debiandpkg>= 0 < 1.22.221.22.22
debiandpkg>= 0 < 1.23.61.23.6
debiandpkg>= 1.21.18 < 1.23.61.23.6
debiandpkg>= 1.21.18 < 1.21.231.21.23
debiandpkg>= 1.22.0 < 1.22.221.22.22
debiandpkg>= 1.23.0 < 1.23.61.23.6
ubuntudpkg

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.