Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
dpkg on Linux systems can be crashed by a malicious .deb file
DEBIAN-CVE-2026-2219
Summary
A flaw in dpkg on Linux systems can cause a denial of service if a specially crafted .deb file is installed. This can happen if an attacker creates a malicious .deb file that tricks dpkg into entering an infinite loop. To stay safe, ensure you only install .deb files from trusted sources.
What to do
- Update debian dpkg to version 1.23.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | dpkg | All versions | – |
| debian | dpkg | All versions | – |
| debian | dpkg | <= 1.23.6 | 1.23.6 |
Original title
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, ...
Original description
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
osv CVSS3.1
7.5
- https://security-tracker.debian.org/tracker/CVE-2026-2219 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026