NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010022
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3
• https://ubuntu.com/security/CVE-2019-1010022

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2005-2541
• http://marc.info/?l=bugtraq&m=112327628230258&w=2
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69720
• https://github.com/Cao-Wuhui/CVE-2025-69720
• https://invisible-island.net/archives/ncurses/6.5/
• https://invisible-island.net/ncurses/
• https://marc.info/?l=ncurses-bug&m=176539968328570&w=2
• https://marc.info/?l=ncurses-bug&m=176540731801330&w=2
• https://marc.info/?l=ncurses-bug&m=176545557728083&w=2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2007-5686
• http://www.securityfocus.com/archive/1/482129/100/100/threaded
• http://www.securityfocus.com/archive/1/482857/100/0/threaded
• https://issues.rpath.com/browse/RPL-1825
• http://secunia.com/advisories/27215
• http://www.securityfocus.com/bid/26048
• http://www.vupen.com/english/advisories/2007/3474

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14104
• https://access.redhat.com/security/cve/CVE-2025-14104
• https://bugzilla.redhat.com/show_bug.cgi?id=2419369
• https://access.redhat.com/errata/RHSA-2026:1696
• https://access.redhat.com/errata/RHSA-2026:1852
• https://access.redhat.com/errata/RHSA-2026:1913
• https://access.redhat.com/errata/RHSA-2026:2485
• https://access.redhat.com/errata/RHSA-2026:2563
• https://access.redhat.com/errata/RHSA-2026:2737
• https://access.redhat.com/errata/RHSA-2026:2800
• https://access.redhat.com/errata/RHSA-2026:3406
• https://access.redhat.com/errata/RHSA-2026:4943
• https://access.redhat.com/errata/RHSA-2026:7180

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0563
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
• https://security.gentoo.org/glsa/202401-08
• https://security.netapp.com/advisory/ntap-20220331-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Remediation

There is no fixed version for Debian:13 zlib.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27171
• https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
• https://github.com/madler/zlib/releases/tag/v1.3.2
• https://ostif.org/zlib-audit-complete/
• https://github.com/madler/zlib/issues/904
• https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22852
• http://www.securityfocus.com/bid/109162
• https://ubuntu.com/security/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://ubuntu.com/security/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31439
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28885
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31438
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28886
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31437
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3184
• https://access.redhat.com/errata/RHSA-2026:7180
• https://access.redhat.com/security/cve/CVE-2026-3184
• https://bugzilla.redhat.com/show_bug.cgi?id=2442570

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Remediation

There is no fixed version for Debian:13 xz-utils.

References

• https://security-tracker.debian.org/tracker/CVE-2026-34743
• https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
• https://github.com/tukaani-project/xz/releases/tag/v5.8.3
• https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv
• http://www.openwall.com/lists/oss-security/2026/03/31/13

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2017-18018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018
• http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5278
• https://access.redhat.com/security/cve/CVE-2025-5278
• https://bugzilla.redhat.com/show_bug.cgi?id=2368764
• http://www.openwall.com/lists/oss-security/2025/05/27/2
• http://www.openwall.com/lists/oss-security/2025/05/29/1
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14
• http://www.openwall.com/lists/oss-security/2025/05/29/2
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2013-4392
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357
• http://www.openwall.com/lists/oss-security/2013/10/01/9
• https://bugzilla.redhat.com/show_bug.cgi?id=859060

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2010-4756
• http://cxib.net/stuff/glob-0day.c
• http://securityreason.com/achievement_securityalert/89
• http://securityreason.com/exploitalert/9223
• https://bugzilla.redhat.com/show_bug.cgi?id=681681
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756
• https://security.netapp.com/advisory/ntap-20241108-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45346
• https://github.com/guyinatuxedo/sqlite3_record_leaking
• https://security.netapp.com/advisory/ntap-20220303-0001/
• https://sqlite.org/forum/forumpost/056d557c2f8c452ed5
• https://sqlite.org/forum/forumpost/53de8864ba114bf6
• https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:13 apt.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3374
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
• https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html
• https://seclists.org/fulldisclosure/2011/Sep/221
• https://snyk.io/vuln/SNYK-LINUX-APT-116518
• https://ubuntu.com/security/CVE-2011-3374
• https://access.redhat.com/security/cve/cve-2011-3374

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6141
• https://invisible-island.net/ncurses/NEWS.html#index-t20250329
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html
• https://vuldb.com/?ctiid.312610
• https://vuldb.com/?id.312610
• https://vuldb.com/?submit.593000
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2011-4116
• https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
• https://rt.cpan.org/Public/Bug/Display.html?id=69106
• https://seclists.org/oss-sec/2011/q4/238
• http://www.openwall.com/lists/oss-security/2011/11/04/2
• http://www.openwall.com/lists/oss-security/2011/11/04/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40228
• https://www.openwall.com/lists/oss-security/2026/04/08/1
• http://www.openwall.com/lists/oss-security/2026/05/05/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5435
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34033

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5928
• https://sourceware.org/bugzilla/show_bug.cgi?id=33998

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6238
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34069

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5450
• https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2024-56433
• https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
• https://github.com/shadow-maint/shadow/issues/1157
• https://github.com/shadow-maint/shadow/releases/tag/4.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2025-70873
• https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054
• https://sqlite.org/forum/forumpost/761eac3c82
• https://sqlite.org/src/info/3d459f1fb1bd1b5e

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g