CVE-2026-2219

HIGH

dpkg 1.21.18-1.23.6 - Denial of Service via Zstd Decompression Infinite Loop

Title source: llm

Description

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

References (2)

Core 2

Core References

Issue Tracking issue-tracking

https://bugs.debian.org/1129722

Patch patch

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313

Scores

CVSS v3 7.5

EPSS 0.0042

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (2)

debian/dpkg 1.21.18 - 1.21.23

Debian/dpkg 1.21.18 - 1.23.6

Published Mar 07, 2026

Tracked Since Mar 07, 2026