NIXPKGS-2026-0579

GitHub issue published on 8 Mar 2026

Permalink CVE-2026-2219

updated 1 week ago by @mweinelt Activity log

Created automatic suggestion 1 week ago
@mweinelt accepted 1 week ago
@mweinelt published on GitHub 1 week ago

It was discovered that dpkg-deb (a component of dpkg, the …

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

References

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 patch
https://bugs.debian.org/1129722 issue-tracking

Affected products

dpkg

<1.23.6

Matching in nixpkgs

pkgs.dpkg

Debian package manager

nixos-unstable 1.23.5
- nixpkgs-unstable 1.23.5
- nixos-unstable-small 1.23.5
nixos-25.11 1.22.21
- nixos-25.11-small 1.22.21
- nixpkgs-25.11-darwin 1.22.21

Package maintainers

@siriobalmelli Sirio Balmelli <sirio@b-ad.ch>

Upstream issue: https://bugs.debian.org/challenge.html?original=%2f1129722
Patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0579

References

Affected products

Matching in nixpkgs

pkgs.dpkg

Package maintainers