Debian Dpkg
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Debian Dpkg.
By the Year
In 2026 there have been 1 vulnerability in Debian Dpkg with an average score of 7.5 out of ten. Last year, in 2025 Dpkg had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Dpkg in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 1 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 9.80 |
It may take a day or so for new Dpkg vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Debian Dpkg Security Vulnerabilities
Debian dpkg zstd DOS via stream validation flaw CVE-2026-2219
CVE-2026-2219
7.5 - High
- March 07, 2026
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Infinite Loop
dpkg-deb Temp File DoS via Unsanitized Dir Perms
CVE-2025-6297
- July 01, 2025
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.
Dpkg::Source::Archive in dpkg
CVE-2022-1664
9.8 - Critical
- May 26, 2022
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Debian Dpkg or by Debian? Click the Watch button to subscribe.
