CVE-2026-2219
Published: 07 March 2026
Summary
CVE-2026-2219 is a high-severity Infinite Loop (CWE-835) vulnerability in Debian Dpkg. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-2219 is a vulnerability in dpkg-deb, a component of dpkg, the Debian package management system. It stems from improper validation of the end of the data stream during decompression of zstd-compressed .deb archives, which can trigger a denial of service via an infinite loop that consumes CPU resources (CWE-835: Loop with Unreachable Exit Condition). The issue was published on 2026-03-07 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By providing a specially crafted zstd-compressed .deb archive for extraction via dpkg-deb, the attacker induces an infinite decompression loop, resulting in high availability impact through sustained CPU exhaustion, while confidentiality and integrity remain unaffected.
Mitigation is provided through a patch in the dpkg Git repository at commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313. Further details, including the bug report and resolution, are documented in the Debian bug tracker at https://bugs.debian.org/1129722. Security practitioners should update affected dpkg installations promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10138
Vulnerability details
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning…
more
the CPU).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation causing endpoint DoS via infinite loop/CPU exhaustion in dpkg-deb decompression.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the vulnerability by applying the available patch that corrects improper data stream validation in dpkg-deb, preventing the infinite decompression loop.
Implements denial-of-service protections at system boundaries to limit resource exhaustion from crafted zstd-compressed .deb archives.
Monitors system resources to detect anomalous CPU utilization indicative of the infinite loop triggered by malformed .deb archives.