Debian dpkg zstd DOS via stream validation flaw CVE-2026-2219
CVE-2026-2219 Published on March 7, 2026
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Vulnerability Analysis
CVE-2026-2219 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is an Infinite Loop Vulnerability?
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
CVE-2026-2219 has been classified to as an Infinite Loop vulnerability or weakness.
Products Associated with CVE-2026-2219
Want to know whenever a new CVE is published for Debian Dpkg? stack.watch will email you.
Affected Versions
Debian dpkg:- Version 1.21.18 and below 1.23.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.