{"id":"CVE-2026-2219","details":"It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).","modified":"2026-03-25T17:42:26.886757Z","published":"2026-03-07T09:16:07.823Z","related":["SUSE-SU-2026:20766-1","SUSE-SU-2026:20795-1"],"references":[{"type":"WEB","url":"https://bugs.debian.org/1129722"},{"type":"WEB","url":"https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.dpkg.org/cgit/dpkg/dpkg.git","events":[{"introduced":"0"},{"fixed":"6610297a62c0780dd0e80b0e302ef64fdcc9d313"}]}],"versions":["1.1.4","1.1.5","1.1.6","1.10","1.10.1","1.10.10","1.10.11","1.10.12","1.10.13","1.10.14","1.10.15","1.10.16","1.10.17","1.10.18","1.10.18.1","1.10.19","1.10.2","1.10.20","1.10.21","1.10.22","1.10.23","1.10.24","1.10.25","1.10.26","1.10.27","1.10.28","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10.9","1.13.1.0.1","1.13.10","1.13.11","1.13.11.1","1.13.12","1.13.13","1.13.14","1.13.15","1.13.16","1.13.17","1.13.18","1.13.19","1.13.2","1.13.20","1.13.21","1.13.22","1.13.23","1.13.24","1.13.25","1.13.26","1.13.3","1.13.4","1.13.5","1.13.6","1.13.7","1.13.8","1.13.9","1.14.0","1.14.1","1.14.10","1.14.11","1.14.12","1.14.13","1.14.14","1.14.15","1.14.16","1.14.16.1","1.14.16.2","1.14.16.3","1.14.16.4","1.14.16.5","1.14.16.6","1.14.17","1.14.18","1.14.19","1.14.2","1.14.20","1.14.21","1.14.22","1.14.23","1.14.24","1.14.25","1.14.26","1.14.27","1.14.28","1.14.29","1.14.3","1.14.30","1.14.31","1.14.4","1.14.5","1.14.6","1.14.7","1.14.7_newshlib","1.14.7_newshlib.1","1.14.8","1.14.8_newshlib","1.14.9","1.15.0","1.15.1","1.15.10","1.15.11","1.15.12","1.15.2","1.15.3","1.15.3.1","1.15.4","1.15.4.1","1.15.5","1.15.5.1","1.15.5.2","1.15.5.3","1.15.5.4","1.15.5.5","1.15.5.6","1.15.6","1.15.6.1","1.15.7","1.15.7.1","1.15.7.2","1.15.8","1.15.8.1","1.15.8.10","1.15.8.11","1.15.8.12","1.15.8.13","1.15.8.2","1.15.8.3","1.15.8.4","1.15.8.5","1.15.8.6","1.15.8.7","1.15.8.8","1.15.8.9","1.15.9","1.16.0","1.16.0.1","1.16.0.2","1.16.0.3","1.16.1","1.16.1.1","1.16.1.1_bpo60+1","1.16.1.1_bpo60+2","1.16.1.2","1.16.1.2_bpo60+1","1.16.10","1.16.11","1.16.12","1.16.13","1.16.14","1.16.15","1.16.16","1.16.17","1.16.18","1.16.2","1.16.3","1.16.4","1.16.4.1","1.16.4.2","1.16.4.3","1.16.5","1.16.6","1.16.7","1.16.8","1.16.9","1.16.9_bpo60+1","1.17.0","1.17.1","1.17.10","1.17.11","1.17.12","1.17.13","1.17.14","1.17.15","1.17.16","1.17.17","1.17.18","1.17.19","1.17.2","1.17.20","1.17.21","1.17.22","1.17.23","1.17.24","1.17.25","1.17.26","1.17.27","1.17.28","1.17.3","1.17.4","1.17.5","1.17.6","1.17.7","1.17.8","1.17.9","1.18.0","1.18.1","1.18.10","1.18.11","1.18.12","1.18.13","1.18.14","1.18.15","1.18.16","1.18.17","1.18.18","1.18.19","1.18.2","1.18.20","1.18.21","1.18.22","1.18.23","1.18.24","1.18.25","1.18.26","1.18.3","1.18.4","1.18.5","1.18.6","1.18.7","1.18.8","1.18.9","1.19.0","1.19.0.1","1.19.0.2","1.19.0.3","1.19.0.4","1.19.0.5","1.19.1","1.19.2","1.19.3","1.19.4","1.19.5","1.19.6","1.19.7","1.19.8","1.2.0","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.20.0","1.20.1","1.20.10","1.20.11","1.20.12","1.20.13","1.20.2","1.20.3","1.20.4","1.20.5","1.20.6","1.20.7","1.20.7.1","1.20.8","1.20.9","1.21.0","1.21.1","1.21.10","1.21.11","1.21.12","1.21.13","1.21.14","1.21.15","1.21.16","1.21.17","1.21.18","1.21.19","1.21.2","1.21.20","1.21.21","1.21.22","1.21.3","1.21.4","1.21.5","1.21.6","1.21.7","1.21.8","1.21.9","1.22.0","1.22.1","1.22.10","1.22.11","1.22.12","1.22.13","1.22.14","1.22.15","1.22.16","1.22.17","1.22.18","1.22.19","1.22.2","1.22.20","1.22.21","1.22.22","1.22.3","1.22.4","1.22.5","1.22.6","1.22.7","1.22.8","1.22.9","1.23.0","1.23.1","1.23.2","1.23.3","1.23.4","1.23.5","1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.14","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1.1","1.4.1.10","1.4.1.11","1.4.1.12","1.4.1.14","1.4.1.15","1.4.1.17","1.4.1.19","1.4.1.4","1.4.1.5","1.4.1.7","1.4.1.8","1.4.1.9","1.6","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.7.0","1.7.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2219.json","vanir_signatures":[{"source":"https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313","id":"CVE-2026-2219-1c9f15b1","digest":{"length":480,"function_hash":"245494360424293954015091094140295027202"},"target":{"function":"filter_unzstd_code","file":"lib/dpkg/compress.c"},"signature_type":"Function","signature_version":"v1","deprecated":false},{"source":"https://git.dpkg.org/cgit/dpkg/dpkg.git@6610297a62c0780dd0e80b0e302ef64fdcc9d313","id":"CVE-2026-2219-4e3b3cc7","digest":{"line_hashes":["12195665675581459700096585737005087611","287612384907204631831144275473975402648","287266668066199483871727179562060628833"],"threshold":0.9},"target":{"file":"lib/dpkg/compress.c"},"signature_type":"Line","signature_version":"v1","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}