CVE-2026-2219

Source
https://cve.org/CVERecord?id=CVE-2026-2219
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2219.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2219
Downstream
Related
Published
2026-03-07T08:10:53.207Z
Modified
2026-07-15T15:20:05.129484Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2219.json",
    "cna_assigner": "debian"
}
References

Affected packages

Git / git.dpkg.org/cgit/dpkg/dpkg.git

Affected ranges

Type
GIT
Repo
https://git.dpkg.org/cgit/dpkg/dpkg.git
Events
Introduced
ebc2c3def335ac391b010323ab65a302648f3ec7
Fixed
e1277e8910a539bc75643fc09fdfce72efb40c75
Introduced
744487c98a622b9b38c22c6ca330315af4a30a11
Fixed
58e5927f9f2103e94574d92edbd93e41ab93384a
Introduced
6169b4f7c2678fb6270a785a54142c7d3d0077bd
Fixed
91c2348515166010927429adbd8eb8a50064b632
Fixed
6610297a62c0780dd0e80b0e302ef64fdcc9d313
Database specific
{
    "cpe": "cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "1.21.18"
        },
        {
            "fixed": "1.21.23"
        },
        {
            "introduced": "1.22.0"
        },
        {
            "fixed": "1.22.22"
        },
        {
            "introduced": "1.23.0"
        },
        {
            "fixed": "1.23.6"
        }
    ]
}

Affected versions

1.*
1.21.18
1.21.19
1.21.20
1.21.21
1.21.22
1.22.0
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.16
1.22.17
1.22.18
1.22.19
1.22.2
1.22.20
1.22.21
1.22.3
1.22.4
1.22.5
1.22.6
1.22.7
1.22.8
1.22.9
1.23.0
1.23.1
1.23.2
1.23.3
1.23.4
1.23.5

Database specific

vanir_signatures
[
    {
        "source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "245494360424293954015091094140295027202",
            "length": 480.0
        },
        "id": "CVE-2026-2219-1c9f15b1",
        "signature_type": "Function",
        "target": {
            "function": "filter_unzstd_code",
            "file": "lib/dpkg/compress.c"
        }
    },
    {
        "source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "12195665675581459700096585737005087611",
                "287612384907204631831144275473975402648",
                "287266668066199483871727179562060628833"
            ]
        },
        "id": "CVE-2026-2219-4e3b3cc7",
        "signature_type": "Line",
        "target": {
            "file": "lib/dpkg/compress.c"
        }
    }
]
vanir_signatures_modified
"2026-07-15T15:20:05Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2219.json"