{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2219", "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "state": "PUBLISHED", "assignerShortName": "debian", "dateReserved": "2026-02-08T15:48:51.824Z", "datePublished": "2026-03-07T08:10:53.207Z", "dateUpdated": "2026-03-09T14:52:18.435Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian", "dateUpdated": "2026-03-07T10:02:03.145Z"}, "affected": [{"vendor": "Debian", "product": "dpkg", "versions": [{"status": "affected", "version": "1.21.18", "lessThan": "1.23.6", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).</p>"}]}], "references": [{"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313", "tags": ["patch"]}, {"url": "https://bugs.debian.org/1129722", "tags": ["issue-tracking"]}], "credits": [{"lang": "en", "value": "Yashashree Gund", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-835", "lang": "en", "description": "CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:52:13.047553Z", "id": "CVE-2026-2219", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:52:18.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:52:13.047553Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:52:03.318Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Yashashree Gund"}], "affected": [{"vendor": "Debian", "product": "dpkg", "versions": [{"status": "affected", "version": "1.21.18", "lessThan": "1.23.6", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313", "tags": ["patch"]}, {"url": "https://bugs.debian.org/1129722", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).", "supportingMedia": [{"type": "text/html", "value": "<p>It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).</p>", "base64": false}]}], "providerMetadata": {"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian", "dateUpdated": "2026-03-07T10:02:03.145Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2219", "state": "PUBLISHED", "dateUpdated": "2026-03-09T14:52:18.435Z", "dateReserved": "2026-02-08T15:48:51.824Z", "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "datePublished": "2026-03-07T08:10:53.207Z", "assignerShortName": "debian"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU)."}], "id": "CVE-2026-2219", "lastModified": "2026-03-09T15:15:57.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-07T09:16:07.823", "references": [{"source": "security@debian.org", "url": "https://bugs.debian.org/1129722"}, {"source": "security@debian.org", "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.21.18,1.23.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dpkg", "source": "cna", "vendor": "Debian"}, "product": "dpkg", "vendor": "debian"}], "analysis": {"en": {"generated_at": "2026-04-16T10:58:16.848024+00:00", "value": {"mitigation_remediation": ["Apply the Debian package update that includes the zstd stream validation patch (e.g., upgrade dpkg to the latest available release).", "Ensure that all .deb packages are obtained from trusted, authenticated repositories to prevent malicious archives from reaching the unpacking routine.", "If an update is unavailable, avoid installing or uncompressing zstd\u2011compressed .deb packages from untrusted sources while monitoring system CPU usage for signs of an infinite loop."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected products are all Debian systems using the dpkg package manager, particularly the dpkg\u2011deb component. The CVE does not list specific affected versions, so any Debian release prior to the application of the zstd stream validation patch is potentially vulnerable. Users should check their dpkg version against the repository to confirm if the patch is present.", "description_and_impact": "The vulnerability originates from dpkg-deb, a component of Debian's packaging system, which fails to validate the end of a data stream when decompressing zstd\u2011compressed .deb archives. This oversight can cause the decompression routine to enter an infinite loop, consuming 100% CPU and leading to a denial of service on the affected system. The weakness aligns with CWE\u2011835, reflecting uncontrolled resource consumption.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests exploitation probability is low at present. The vulnerability is not in CISA's KEV catalog. Attacks would require an attacker to supply a malicious .deb file that is decompressed, which can occur during package installation or update operations. Because the flaw is triggered during decompression, administrative or root privileges are typically required, but local process elevation or compromised update services could also facilitate exploitation."}}}}, "created": "2026-03-09T10:05:30.617922+00:00", "title": "dpkg-deb Infinite Loop DoS via Improper Zstd Stream Validation", "updated": "2026-04-16T11:00:10.675513+00:00", "vendors": ["debian", "debian$PRODUCT$dpkg"]}