CVE-2026-2219

HIGH

dpkg-deb - DoS

Title source: llm

Description

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

References (2)

[Issue Tracking] https://bugs.debian.org/1129722

[Patch] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (1)

Debian/dpkg 1.21.18 - 1.23.6

Published Mar 07, 2026

Tracked Since Mar 07, 2026