CVE-2026-2219

Published: 3/7/2026 Last updated: 3/9/2026 Reserved: 2/8/2026

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

CNA assigner: debian (79363d38-fa19-49d1-9214-5f28da3f3ac5) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.5	High	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Opam packages affected (1)

conf-dpkg

Products affected (1)

Product	Vendor	Version
dpkg	Debian	< 6.1.7601.27520

References (4)

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
https://bugs.debian.org/1129722
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
https://bugs.debian.org/1129722

Credits (2)

2 Yashashree Gund
2 Yashashree Gund