CVE-2025-6966

MEDIUM

python-apt - Denial of Service via Malformed Non-UTF-8 Key in TagSection.keys()

Title source: llm

Description

NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Third Party Advisory

https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html

Scores

CVSS v3 5.5

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (10)

debian/debian_linux 11.0

ubuntu/python-apt 0.9.3.5 ubuntu1 (2 CPE variants)

ubuntu/python-apt 0.9.3.11 (2 CPE variants)

ubuntu/python-apt 1.1.0 beta1 (18 CPE variants)

ubuntu/python-apt 1.6.6

ubuntu/python-apt 2.0.1

ubuntu/python-apt 2.4.0 \+22.10 (6 CPE variants)

ubuntu/python-apt 2.7.7 (7 CPE variants)

ubuntu/python-apt 3.0.0 (2 CPE variants)

ubuntu/python-apt < 0.9.3.11

Published Dec 05, 2025

Tracked Since Feb 18, 2026