Cyber Resilience

CVE-2026-2219

HighDDoSUpdated

Published: 07 March 2026

Published
07 March 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 7.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2219 is a high-severity Infinite Loop (CWE-835) vulnerability in Debian Dpkg. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-2219 is a vulnerability in dpkg-deb, a component of dpkg, the Debian package management system. It stems from improper validation of the end of the data stream during decompression of zstd-compressed .deb archives, which can trigger a denial of service via an infinite loop that consumes CPU resources (CWE-835: Loop with Unreachable Exit Condition). The issue was published on 2026-03-07 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By providing a specially crafted zstd-compressed .deb archive for extraction via dpkg-deb, the attacker induces an infinite decompression loop, resulting in high availability impact through sustained CPU exhaustion, while confidentiality and integrity remain unaffected.

Mitigation is provided through a patch in the dpkg Git repository at commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313. Further details, including the bug report and resolution, are documented in the Debian bug tracker at https://bugs.debian.org/1129722. Security practitioners should update affected dpkg installations promptly.

EU & UK References

Vulnerability details

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning…

more

the CPU).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via infinite loop/CPU exhaustion in dpkg-deb decompression.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33013Shared CWE-835
CVE-2026-26283Shared CWE-835
CVE-2026-31448Shared CWE-835
CVE-2026-27628Shared CWE-835
CVE-2026-39806Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-21507Shared CWE-835
CVE-2026-44302Shared CWE-835
CVE-2026-42899Shared CWE-835
CVE-2026-23451Shared CWE-835

Affected Assets

debian
dpkg
1.21.18 — 1.21.23 · 1.22.0 — 1.22.22 · 1.23.0 — 1.23.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by applying the available patch that corrects improper data stream validation in dpkg-deb, preventing the infinite decompression loop.

prevent

Implements denial-of-service protections at system boundaries to limit resource exhaustion from crafted zstd-compressed .deb archives.

detect

Monitors system resources to detect anomalous CPU utilization indicative of the infinite loop triggered by malformed .deb archives.

References