CVE-2026-2219
- Source
- https://cve.org/CVERecord?id=CVE-2026-2219
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2219.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-2219
- Downstream
- Related
- Published
- 2026-03-07T09:16:07.823Z
- Modified
- 2026-04-12T20:21:38.993612Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
- References
Affected packages
Git / git.dpkg.org/cgit/dpkg/dpkg.git
Affected ranges
- Type
- GIT
- Repo
- https://git.dpkg.org/cgit/dpkg/dpkg.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed6610297a62c0780dd0e80b0e302ef64fdcc9d313
Affected versions
1.*
1.1.4
1.1.5
1.1.6
1.10
1.10.1
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16
1.10.17
1.10.18
1.10.18.1
1.10.19
1.10.2
1.10.20
1.10.21
1.10.22
1.10.23
1.10.24
1.10.25
1.10.26
1.10.27
1.10.28
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.13.1.0.1
1.13.10
1.13.11
1.13.11.1
1.13.12
1.13.13
1.13.14
1.13.15
1.13.16
1.13.17
1.13.18
1.13.19
1.13.2
1.13.20
1.13.21
1.13.22
1.13.23
1.13.24
1.13.25
1.13.3
1.13.4
1.13.5
1.13.6
1.13.7
1.13.8
1.13.9
1.14.0
1.14.1
1.14.10
1.14.11
1.14.12
1.14.13
1.14.14
1.14.15
1.14.16
1.14.17
1.14.18
1.14.2
1.14.3
1.14.4
1.14.5
1.14.8
1.14.9
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.5.1
1.15.6
1.15.6.1
1.15.7
1.15.8
1.16.0
1.16.1
1.16.10
1.16.2
1.16.3
1.16.4
1.16.5
1.16.6
1.17.0
1.17.1
1.17.10
1.17.11
1.17.12
1.17.13
1.17.14
1.17.15
1.17.16
1.17.17
1.17.18
1.17.19
1.17.2
1.17.20
1.17.21
1.17.22
1.17.23
1.17.3
1.17.4
1.17.5
1.17.6
1.17.7
1.17.8
1.17.9
1.18.0
1.18.1
1.18.10
1.18.11
1.18.12
1.18.13
1.18.14
1.18.15
1.18.16
1.18.17
1.18.18
1.18.19
1.18.2
1.18.20
1.18.21
1.18.22
1.18.23
1.18.24
1.18.3
1.18.4
1.18.5
1.18.6
1.18.7
1.18.8
1.18.9
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.2.0
1.2.1
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.20.0
1.20.1
1.20.2
1.20.3
1.20.4
1.20.5
1.20.6
1.20.7
1.20.8
1.21.0
1.21.1
1.21.10
1.21.11
1.21.12
1.21.13
1.21.14
1.21.15
1.21.16
1.21.17
1.21.18
1.21.19
1.21.2
1.21.20
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
1.21.8
1.21.9
1.22.0
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.16
1.22.17
1.22.18
1.22.19
1.22.2
1.22.3
1.22.4
1.22.5
1.22.6
1.22.7
1.22.8
1.22.9
1.23.0
1.23.1
1.23.2
1.23.3
1.23.4
1.23.5
1.3.0
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.4.1.1
1.4.1.10
1.4.1.11
1.4.1.12
1.4.1.14
1.4.1.15
1.4.1.17
1.4.1.19
1.4.1.4
1.4.1.5
1.4.1.7
1.4.1.8
1.4.1.9
1.6
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.7.0
1.7.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2219.json"
vanir_signatures
[
{
"digest": {
"length": 480.0,
"function_hash": "245494360424293954015091094140295027202"
},
"id": "CVE-2026-2219-1c9f15b1",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313",
"target": {
"function": "filter_unzstd_code",
"file": "lib/dpkg/compress.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"12195665675581459700096585737005087611",
"287612384907204631831144275473975402648",
"287266668066199483871727179562060628833"
]
},
"id": "CVE-2026-2219-4e3b3cc7",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313",
"target": {
"file": "lib/dpkg/compress.c"
}
}
]
vanir_signatures_modified
"2026-04-12T20:21:38Z"