CVE-2026-2219

HIGH 7.5

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Vendor	debian
Product	dpkg
Ecosystems	Linux
Industries	Technology
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for debian dpkg

Be the first to know when new high vulnerabilities affecting debian dpkg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Debian / dpkg

1.21.18 < 1.23.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.dpkg.org: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 bugs.debian.org: https://bugs.debian.org/1129722

Credits

🔍 Yashashree Gund