VulnerableCode Package Details - pkg:deb/debian/dpkg@1.21.22

Search for packages

Vulnerability	Summary	Fixed by
VCID-1786-vddy-dfbz Aliases: CVE-2025-6297	It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.	1.22.22 Affected by 0 other vulnerabilities.
VCID-ec4e-5j15-ekd9 Aliases: CVE-2026-2219	It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).	1.22.22 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1786-vddy-dfbz
Aliases:
CVE-2025-6297

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

1.22.22
Affected by 0 other vulnerabilities.

VCID-ec4e-5j15-ekd9
Aliases:
CVE-2026-2219

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

1.22.22
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:32:00.467765+00:00	Debian Importer	Affected by	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:41:47.559507+00:00	Debian Importer	Affected by	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:06:37.379831+00:00	Debian Importer	Affected by	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:50:39.470076+00:00	Debian Importer	Affected by	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-02T17:08:27.293290+00:00	Debian Importer	Affected by	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:02:22.102631+00:00	Debian Importer	Affected by	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.1.0