CVE-2026-2219

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2219
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2219.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-2219
Downstream
Related
Published
2026-03-07T08:10:53.207Z
Modified
2026-05-18T05:58:31.530561212Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2219.json",
    "cna_assigner": "debian"
}
References

Affected packages

Git / git.dpkg.org/cgit/dpkg/dpkg.git

Affected ranges

Type
GIT
Repo
https://git.dpkg.org/cgit/dpkg/dpkg.git
Events
Introduced
ebc2c3def335ac391b010323ab65a302648f3ec7
Fixed
91c2348515166010927429adbd8eb8a50064b632

Affected versions

1.*
1.21.18
1.21.19
1.21.20
1.22.0
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.16
1.22.17
1.22.18
1.22.19
1.22.2
1.22.3
1.22.4
1.22.5
1.22.6
1.22.7
1.22.8
1.22.9
1.23.0
1.23.1
1.23.2
1.23.3
1.23.4
1.23.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2219.json"