CVE-2026-2219 (GCVE-0-2026-2219)

Vulnerability from cvelistv5 – Published: 2026-03-07 08:10 – Updated: 2026-03-09 14:52
VLAI
Summary
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
Impacted products
Vendor Product Version
Debian dpkg Affected: 1.21.18 , < 1.23.6 (semver)
Create a notification for this product.
Credits
Yashashree Gund
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-2219",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T14:52:13.047553Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-835",
                "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T14:52:18.435Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "dpkg",
          "vendor": "Debian",
          "versions": [
            {
              "lessThan": "1.23.6",
              "status": "affected",
              "version": "1.21.18",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Yashashree Gund"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIt was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).\u003c/p\u003e"
            }
          ],
          "value": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T10:02:03.145Z",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugs.debian.org/1129722"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2026-2219",
    "datePublished": "2026-03-07T08:10:53.207Z",
    "dateReserved": "2026-02-08T15:48:51.824Z",
    "dateUpdated": "2026-03-09T14:52:18.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-2219",
      "date": "2026-06-22",
      "epss": "0.00418",
      "percentile": "0.33281"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2219\",\"sourceIdentifier\":\"security@debian.org\",\"published\":\"2026-03-07T09:16:07.823\",\"lastModified\":\"2026-06-02T19:12:25.850\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 que dpkg-deb (un componente de dpkg, el sistema de gesti\u00f3n de paquetes de Debian) no valida correctamente el final del flujo de datos al descomprimir un archivo .deb comprimido con zstd, lo que puede resultar en denegaci\u00f3n de servicio (bucle infinito que consume la CPU).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.21.18\",\"versionEndExcluding\":\"1.21.23\",\"matchCriteriaId\":\"A268C989-1F46-4E99-B78A-BE27F95A319E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.22.0\",\"versionEndExcluding\":\"1.22.22\",\"matchCriteriaId\":\"2D775719-5B8C-4CDA-ABAA-1CA570EE3E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.23.0\",\"versionEndExcluding\":\"1.23.6\",\"matchCriteriaId\":\"B98E9E45-D48E-4B0F-B721-EBB9C862AC4D\"}]}]}],\"references\":[{\"url\":\"https://bugs.debian.org/1129722\",\"source\":\"security@debian.org\",\"tags\":[\"Issue Tracking\",\"Mailing List\"]},{\"url\":\"https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313\",\"source\":\"security@debian.org\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2219\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T14:52:13.047553Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-835\", \"description\": \"CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T14:52:03.318Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Yashashree Gund\"}], \"affected\": [{\"vendor\": \"Debian\", \"product\": \"dpkg\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.21.18\", \"lessThan\": \"1.23.6\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313\", \"tags\": [\"patch\"]}, {\"url\": \"https://bugs.debian.org/1129722\", \"tags\": [\"issue-tracking\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIt was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).\u003c/p\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"79363d38-fa19-49d1-9214-5f28da3f3ac5\", \"shortName\": \"debian\", \"dateUpdated\": \"2026-03-07T10:02:03.145Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2219\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T14:52:18.435Z\", \"dateReserved\": \"2026-02-08T15:48:51.824Z\", \"assignerOrgId\": \"79363d38-fa19-49d1-9214-5f28da3f3ac5\", \"datePublished\": \"2026-03-07T08:10:53.207Z\", \"assignerShortName\": \"debian\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.