CVE-2026-2219

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2219
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2219.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-2219
Downstream
Related
Published
2026-03-07T09:16:07.823Z
Modified
2026-03-25T17:42:26.886757Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

References

Affected packages

Git / git.dpkg.org/cgit/dpkg/dpkg.git

Affected ranges

Type
GIT
Repo
https://git.dpkg.org/cgit/dpkg/dpkg.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6610297a62c0780dd0e80b0e302ef64fdcc9d313

Affected versions

1.*
1.1.4
1.1.5
1.1.6
1.10
1.10.1
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16
1.10.17
1.10.18
1.10.18.1
1.10.19
1.10.2
1.10.20
1.10.21
1.10.22
1.10.23
1.10.24
1.10.25
1.10.26
1.10.27
1.10.28
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.13.1.0.1
1.13.10
1.13.11
1.13.11.1
1.13.12
1.13.13
1.13.14
1.13.15
1.13.16
1.13.17
1.13.18
1.13.19
1.13.2
1.13.20
1.13.21
1.13.22
1.13.23
1.13.24
1.13.25
1.13.26
1.13.3
1.13.4
1.13.5
1.13.6
1.13.7
1.13.8
1.13.9
1.14.0
1.14.1
1.14.10
1.14.11
1.14.12
1.14.13
1.14.14
1.14.15
1.14.16
1.14.16.1
1.14.16.2
1.14.16.3
1.14.16.4
1.14.16.5
1.14.16.6
1.14.17
1.14.18
1.14.19
1.14.2
1.14.20
1.14.21
1.14.22
1.14.23
1.14.24
1.14.25
1.14.26
1.14.27
1.14.28
1.14.29
1.14.3
1.14.30
1.14.31
1.14.4
1.14.5
1.14.6
1.14.7
1.14.7_newshlib
1.14.7_newshlib.1
1.14.8
1.14.8_newshlib
1.14.9
1.15.0
1.15.1
1.15.10
1.15.11
1.15.12
1.15.2
1.15.3
1.15.3.1
1.15.4
1.15.4.1
1.15.5
1.15.5.1
1.15.5.2
1.15.5.3
1.15.5.4
1.15.5.5
1.15.5.6
1.15.6
1.15.6.1
1.15.7
1.15.7.1
1.15.7.2
1.15.8
1.15.8.1
1.15.8.10
1.15.8.11
1.15.8.12
1.15.8.13
1.15.8.2
1.15.8.3
1.15.8.4
1.15.8.5
1.15.8.6
1.15.8.7
1.15.8.8
1.15.8.9
1.15.9
1.16.0
1.16.0.1
1.16.0.2
1.16.0.3
1.16.1
1.16.1.1
1.16.1.1_bpo60+1
1.16.1.1_bpo60+2
1.16.1.2
1.16.1.2_bpo60+1
1.16.10
1.16.11
1.16.12
1.16.13
1.16.14
1.16.15
1.16.16
1.16.17
1.16.18
1.16.2
1.16.3
1.16.4
1.16.4.1
1.16.4.2
1.16.4.3
1.16.5
1.16.6
1.16.7
1.16.8
1.16.9
1.16.9_bpo60+1
1.17.0
1.17.1
1.17.10
1.17.11
1.17.12
1.17.13
1.17.14
1.17.15
1.17.16
1.17.17
1.17.18
1.17.19
1.17.2
1.17.20
1.17.21
1.17.22
1.17.23
1.17.24
1.17.25
1.17.26
1.17.27
1.17.28
1.17.3
1.17.4
1.17.5
1.17.6
1.17.7
1.17.8
1.17.9
1.18.0
1.18.1
1.18.10
1.18.11
1.18.12
1.18.13
1.18.14
1.18.15
1.18.16
1.18.17
1.18.18
1.18.19
1.18.2
1.18.20
1.18.21
1.18.22
1.18.23
1.18.24
1.18.25
1.18.26
1.18.3
1.18.4
1.18.5
1.18.6
1.18.7
1.18.8
1.18.9
1.19.0
1.19.0.1
1.19.0.2
1.19.0.3
1.19.0.4
1.19.0.5
1.19.1
1.19.2
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.19.8
1.2.0
1.2.1
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.20.0
1.20.1
1.20.10
1.20.11
1.20.12
1.20.13
1.20.2
1.20.3
1.20.4
1.20.5
1.20.6
1.20.7
1.20.7.1
1.20.8
1.20.9
1.21.0
1.21.1
1.21.10
1.21.11
1.21.12
1.21.13
1.21.14
1.21.15
1.21.16
1.21.17
1.21.18
1.21.19
1.21.2
1.21.20
1.21.21
1.21.22
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
1.21.8
1.21.9
1.22.0
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.16
1.22.17
1.22.18
1.22.19
1.22.2
1.22.20
1.22.21
1.22.22
1.22.3
1.22.4
1.22.5
1.22.6
1.22.7
1.22.8
1.22.9
1.23.0
1.23.1
1.23.2
1.23.3
1.23.4
1.23.5
1.3.0
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.4.1.1
1.4.1.10
1.4.1.11
1.4.1.12
1.4.1.14
1.4.1.15
1.4.1.17
1.4.1.19
1.4.1.4
1.4.1.5
1.4.1.7
1.4.1.8
1.4.1.9
1.6
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.7.0
1.7.1

Database specific

vanir_signatures 
[
    {
        "signature_type": "Function",
        "id": "CVE-2026-2219-1c9f15b1",
        "digest": {
            "function_hash": "245494360424293954015091094140295027202",
            "length": 480.0
        },
        "signature_version": "v1",
        "target": {
            "file": "lib/dpkg/compress.c",
            "function": "filter_unzstd_code"
        },
        "deprecated": false,
        "source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313"
    },
    {
        "signature_type": "Line",
        "id": "CVE-2026-2219-4e3b3cc7",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "12195665675581459700096585737005087611",
                "287612384907204631831144275473975402648",
                "287266668066199483871727179562060628833"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "lib/dpkg/compress.c"
        },
        "deprecated": false,
        "source": "https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313"
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2219.json"