dpkg vulnerability
Published: Thu, 07 May 2026 13:16
Summary
dpkg could be made to stop responding if it opened a specially crafted file.
Details
Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding, resulting in a denial of service.
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu noble
dpkg→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg
Most apt upgrades restart their service automatically. needrestart lists anything else.
dpkg→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg
Most apt upgrades restart their service automatically. needrestart lists anything else.
dpkg-dev→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
dselect→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dselect
Most apt upgrades restart their service automatically. needrestart lists anything else.
libdpkg-dev→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libdpkg-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libdpkg-perl→1.22.6ubuntu6.6apt_upgradeStandard apt upgrade. Install 1.22.6ubuntu6.6 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libdpkg-perl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu questing
dpkg→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg
Most apt upgrades restart their service automatically. needrestart lists anything else.
dpkg→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg
Most apt upgrades restart their service automatically. needrestart lists anything else.
dpkg-dev→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dpkg-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
dselect→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y dselect
Most apt upgrades restart their service automatically. needrestart lists anything else.
libdpkg-dev→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libdpkg-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libdpkg-perl→1.22.21ubuntu3.2apt_upgradeStandard apt upgrade. Install 1.22.21ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libdpkg-perl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8249-1?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8249-1 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.