CVE-2026-2219

CVE-2026-2219

Name

CVE-2026-2219

Description

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@debian.org	https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
security@debian.org	https://bugs.debian.org/1129722

Type

URI

security@debian.org

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313

security@debian.org

https://bugs.debian.org/1129722

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:debian:dpkg::::::::`	dpkg	>= 1.21.18	< 1.21.23
`cpe:2.3:a:debian:dpkg::::::::`	dpkg	>= 1.22.0	< 1.22.22
`cpe:2.3:a:debian:dpkg::::::::`	dpkg	>= 1.23.0	< 1.23.6

CPE URI

Source package

Min version

Max version

cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*

dpkg

>= 1.21.18

< 1.21.23

cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*

dpkg

>= 1.22.0

< 1.22.22

cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*

dpkg

>= 1.23.0

< 1.23.6

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
dpkg	edge-main	1.23.5-r0	qaqland <qaq@qaq.land>	fixed
dpkg	edge-main	1.23.4-r1	qaqland <qaq@qaq.land>	fixed
dpkg	edge-main	1.23.4-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.23.3-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.23.2-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.23.1-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.23.0-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.21-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.20-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.19-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.15-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.14-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.13-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.12-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	edge-main	1.22.11-r0	Celeste <cielesti@protonmail.com>	fixed
dpkg	3.23-main	1.22.21-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
dpkg	3.22-main	1.22.15-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
dpkg	3.21-main	1.22.11-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
dpkg	3.20-main	1.22.6-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
dpkg	3.19-main	1.22.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages