Description
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
Published: 2026-03-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from dpkg-deb, a component of Debian's packaging system, which fails to validate the end of a data stream when decompressing zstd‑compressed .deb archives. This oversight can cause the decompression routine to enter an infinite loop, consuming 100% CPU and leading to a denial of service on the affected system. The weakness aligns with CWE‑835, reflecting uncontrolled resource consumption.

Affected Systems

Affected products are all Debian systems using the dpkg package manager, particularly the dpkg‑deb component. The CVE does not list specific affected versions, so any Debian release prior to the application of the zstd stream validation patch is potentially vulnerable. Users should check their dpkg version against the repository to confirm if the patch is present.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests exploitation probability is low at present. The vulnerability is not in CISA's KEV catalog. Attacks would require an attacker to supply a malicious .deb file that is decompressed, which can occur during package installation or update operations. Because the flaw is triggered during decompression, administrative or root privileges are typically required, but local process elevation or compromised update services could also facilitate exploitation.

Generated by OpenCVE AI on April 16, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Debian package update that includes the zstd stream validation patch (e.g., upgrade dpkg to the latest available release).
  • Ensure that all .deb packages are obtained from trusted, authenticated repositories to prevent malicious archives from reaching the unpacking routine.
  • If an update is unavailable, avoid installing or uncompressing zstd‑compressed .deb packages from untrusted sources while monitoring system CPU usage for signs of an infinite loop.

Generated by OpenCVE AI on April 16, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Title dpkg-deb Infinite Loop DoS via Improper Zstd Stream Validation

Mon, 09 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian dpkg
Vendors & Products Debian
Debian dpkg

Sat, 07 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
References

Sat, 07 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
References

Subscriptions

Debian Dpkg
cve-icon MITRE

Status: PUBLISHED

Assigner: debian

Published:

Updated: 2026-03-09T14:52:18.435Z

Reserved: 2026-02-08T15:48:51.824Z

Link: CVE-2026-2219

cve-icon Vulnrichment

Updated: 2026-03-09T14:52:03.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-07T09:16:07.823

Modified: 2026-03-09T15:15:57.870

Link: CVE-2026-2219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses