NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010022
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3
• https://ubuntu.com/security/CVE-2019-1010022

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2005-2541
• http://marc.info/?l=bugtraq&m=112327628230258&w=2
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27654
• https://my.f5.com/manage/s/article/K000160382

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-25210
• https://github.com/libexpat/libexpat/pull/1075
• https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69720
• https://github.com/Cao-Wuhui/CVE-2025-69720
• https://invisible-island.net/archives/ncurses/6.5/
• https://invisible-island.net/ncurses/
• https://marc.info/?l=ncurses-bug&m=176539968328570&w=2
• https://marc.info/?l=ncurses-bug&m=176540731801330&w=2
• https://marc.info/?l=ncurses-bug&m=176545557728083&w=2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32647
• https://my.f5.com/manage/s/article/K000160366

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8176
• http://www.libtiff.org/
• https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
• https://gitlab.com/libtiff/libtiff/-/issues/707
• https://gitlab.com/libtiff/libtiff/-/merge_requests/727
• https://vuldb.com/?ctiid.317590
• https://vuldb.com/?id.317590
• https://vuldb.com/?submit.621796

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8177
• http://www.libtiff.org/
• https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22
• https://gitlab.com/libtiff/libtiff/-/merge_requests/737
• https://vuldb.com/?ctiid.317591
• https://vuldb.com/?id.317591
• https://gitlab.com/libtiff/libtiff/-/issues/715
• https://vuldb.com/?submit.621797

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2018-5709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709
• https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:13 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27651
• https://my.f5.com/manage/s/article/K000160383

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3276
• http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1238322
• http://rhn.redhat.com/errata/RHSA-2015-2131.html
• http://www.securitytracker.com/id/1034221
• https://access.redhat.com/errata/RHSA-2015:2131
• https://access.redhat.com/security/cve/CVE-2015-3276

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-17740
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
• http://www.openldap.org/its/index.cgi/Incoming?id=8759
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2017-16232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232
• http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html
• http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html
• http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html
• http://www.openwall.com/lists/oss-security/2017/11/01/11
• http://www.openwall.com/lists/oss-security/2017/11/01/3
• http://www.openwall.com/lists/oss-security/2017/11/01/7
• http://www.openwall.com/lists/oss-security/2017/11/01/8
• http://seclists.org/fulldisclosure/2018/Dec/32
• http://seclists.org/fulldisclosure/2018/Dec/47
• http://www.securityfocus.com/bid/101696

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Remediation

There is no fixed version for Debian:13 libssh2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-7598
• https://github.com/libssh2/libssh2/
• https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
• https://github.com/libssh2/libssh2/pull/1858
• https://vuldb.com/vuln/360555
• https://vuldb.com/vuln/360555/cti
• https://vuldb.com/submit/805564

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2013-0337
• http://security.gentoo.org/glsa/glsa-201310-04.xml
• http://www.openwall.com/lists/oss-security/2013/02/21/15
• http://www.openwall.com/lists/oss-security/2013/02/22/1
• http://www.openwall.com/lists/oss-security/2013/02/24/1
• http://secunia.com/advisories/55181

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61144
• https://gist.github.com/optionGo/5ad17e96a0a40f03578dd6c9f8645952
• https://gitlab.com/libtiff/libtiff/-/commit/09f53a86cf26dfd961925227e59e180db617f26d
• https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa
• https://gitlab.com/libtiff/libtiff/-/issues/740
• https://gitlab.com/libtiff/libtiff/-/merge_requests/757

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68431
• https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
• https://github.com/strukturag/libheif/releases/tag/v1.21.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Remediation

There is no fixed version for Debian:13 libcap2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4878
• https://access.redhat.com/errata/RHSA-2026:7473
• https://access.redhat.com/security/cve/CVE-2026-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2447554
• https://bugzilla.redhat.com/show_bug.cgi?id=2451615
• http://www.openwall.com/lists/oss-security/2026/04/07/14
• http://www.openwall.com/lists/oss-security/2026/04/07/4
• http://www.openwall.com/lists/oss-security/2026/04/08/9
• http://www.openwall.com/lists/oss-security/2026/04/09/5
• http://www.openwall.com/lists/oss-security/2026/04/09/6
• https://access.redhat.com/errata/RHSA-2026:12423
• https://access.redhat.com/errata/RHSA-2026:12441
• https://access.redhat.com/errata/RHSA-2026:13285
• https://access.redhat.com/errata/RHSA-2026:14162
• https://access.redhat.com/errata/RHSA-2026:14937

NVD Description

Note: Versions mentioned in the description apply only to the upstream jbigkit package and not the jbigkit package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

Remediation

There is no fixed version for Debian:13 jbigkit.

References

• https://security-tracker.debian.org/tracker/CVE-2017-9937
• http://bugzilla.maptools.org/show_bug.cgi?id=2707
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://www.securityfocus.com/bid/99304
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9937
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1210
• https://gitlab.com/libtiff/libtiff/-/issues/402
• https://gitlab.com/libtiff/libtiff/uploads/c3da94e53cf1e1e8e6d4d3780dc8c42f/example.tiff
• https://security.gentoo.org/glsa/202210-10
• https://security.netapp.com/advisory/ntap-20220513-0005/
• https://vuldb.com/?id.196363

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2018-10126
• http://bugzilla.maptools.org/show_bug.cgi?id=2786
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10126
• https://gitlab.com/libtiff/libtiff/-/issues/128
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2009-4487
• http://www.securityfocus.com/archive/1/508830/100/0/threaded
• http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
• http://www.securityfocus.com/bid/37711

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1757
• https://access.redhat.com/security/cve/CVE-2026-1757
• https://bugzilla.redhat.com/show_bug.cgi?id=2435940
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2007-5686
• http://www.securityfocus.com/archive/1/482129/100/100/threaded
• http://www.securityfocus.com/archive/1/482857/100/0/threaded
• https://issues.rpath.com/browse/RPL-1825
• http://secunia.com/advisories/27215
• http://www.securityfocus.com/bid/26048
• http://www.vupen.com/english/advisories/2007/3474

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14104
• https://access.redhat.com/security/cve/CVE-2025-14104
• https://bugzilla.redhat.com/show_bug.cgi?id=2419369
• https://access.redhat.com/errata/RHSA-2026:1696
• https://access.redhat.com/errata/RHSA-2026:1852
• https://access.redhat.com/errata/RHSA-2026:1913
• https://access.redhat.com/errata/RHSA-2026:2485
• https://access.redhat.com/errata/RHSA-2026:2563
• https://access.redhat.com/errata/RHSA-2026:2737
• https://access.redhat.com/errata/RHSA-2026:2800
• https://access.redhat.com/errata/RHSA-2026:3406
• https://access.redhat.com/errata/RHSA-2026:4943
• https://access.redhat.com/errata/RHSA-2026:7180

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0990
• https://access.redhat.com/security/cve/CVE-2026-0990
• https://bugzilla.redhat.com/show_bug.cgi?id=2429959
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32777
• https://github.com/libexpat/libexpat/issues/1161
• https://github.com/libexpat/libexpat/pull/1159
• https://github.com/libexpat/libexpat/pull/1162
• https://issues.oss-fuzz.com/issues/486993411

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32776
• https://github.com/libexpat/libexpat/pull/1158
• https://github.com/libexpat/libexpat/pull/1159

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32778
• https://github.com/libexpat/libexpat/pull/1159
• https://github.com/libexpat/libexpat/pull/1163

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

Remediation

There is no fixed version for Debian:13 libpng1.6.

References

• https://security-tracker.debian.org/tracker/CVE-2021-4214
• https://access.redhat.com/security/cve/CVE-2021-4214
• https://bugzilla.redhat.com/show_bug.cgi?id=2043393
• https://github.com/glennrp/libpng/issues/302
• https://security.netapp.com/advisory/ntap-20221020-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10911
• https://access.redhat.com/security/cve/CVE-2025-10911
• https://bugzilla.redhat.com/show_bug.cgi?id=2397838
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
• https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77
• https://access.redhat.com/errata/RHSA-2026:11015

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27784
• https://my.f5.com/manage/s/article/K000160364

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61143
• https://gist.github.com/optionGo/9c024cd8e7b131463b84dc60af9bb0aa
• https://gitlab.com/libtiff/libtiff/-/issues/737
• https://gitlab.com/libtiff/libtiff/-/merge_requests/755

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0563
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
• https://security.gentoo.org/glsa/202401-08
• https://security.netapp.com/advisory/ntap-20220331-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Remediation

There is no fixed version for Debian:13 zlib.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27171
• https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
• https://github.com/madler/zlib/releases/tag/v1.3.2
• https://ostif.org/zlib-audit-complete/
• https://github.com/madler/zlib/issues/904
• https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.  

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28755
• https://my.f5.com/manage/s/article/K000160368

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22852
• http://www.securityfocus.com/bid/109162
• https://ubuntu.com/security/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://ubuntu.com/security/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Remediation

There is no fixed version for Debian:13 libpng1.6.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3713
• https://github.com/biniamf/pocs/tree/main/pnm2png
• https://github.com/pnggroup/libpng/
• https://github.com/pnggroup/libpng/issues/794
• https://vuldb.com/?ctiid.349658
• https://vuldb.com/?id.349658
• https://vuldb.com/?submit.761996

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2015-9019
• https://bugzilla.gnome.org/show_bug.cgi?id=758400
• https://bugzilla.suse.com/show_bug.cgi?id=934119
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-9019

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31439
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28885
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31438
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28886
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31437
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3184
• https://access.redhat.com/errata/RHSA-2026:7180
• https://access.redhat.com/security/cve/CVE-2026-3184
• https://bugzilla.redhat.com/show_bug.cgi?id=2442570

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Remediation

There is no fixed version for Debian:13 xz-utils.

References

• https://security-tracker.debian.org/tracker/CVE-2026-34743
• https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
• https://github.com/tukaani-project/xz/releases/tag/v5.8.3
• https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv
• http://www.openwall.com/lists/oss-security/2026/03/31/13

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61145
• https://gist.github.com/optionGo/062f109569196dbffd8ac12020b42289
• https://gitlab.com/libtiff/libtiff/-/issues/736
• https://gitlab.com/libtiff/libtiff/-/merge_requests/753

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2017-18018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018
• http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-14159
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14159
• http://www.openldap.org/its/index.cgi?findid=8703
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14159
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5278
• https://access.redhat.com/security/cve/CVE-2025-5278
• https://bugzilla.redhat.com/show_bug.cgi?id=2368764
• http://www.openwall.com/lists/oss-security/2025/05/27/2
• http://www.openwall.com/lists/oss-security/2025/05/29/1
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14
• http://www.openwall.com/lists/oss-security/2025/05/29/2
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2013-4392
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357
• http://www.openwall.com/lists/oss-security/2013/10/01/9
• https://bugzilla.redhat.com/show_bug.cgi?id=859060

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2010-4756
• http://cxib.net/stuff/glob-0day.c
• http://securityreason.com/achievement_securityalert/89
• http://securityreason.com/exploitalert/9223
• https://bugzilla.redhat.com/show_bug.cgi?id=681681
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756
• https://security.netapp.com/advisory/ntap-20241108-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3389
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
• http://support.apple.com/kb/HT4999
• http://support.apple.com/kb/HT5001
• http://support.apple.com/kb/HT5130
• http://support.apple.com/kb/HT5281
• http://support.apple.com/kb/HT5501
• http://support.apple.com/kb/HT6150
• http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
• http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
• http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
• http://www.us-cert.gov/cas/techalerts/TA12-010A.html
• http://www.kb.cert.org/vuls/id/864643
• http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
• http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
• http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
• http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
• http://curl.haxx.se/docs/adv_20120124B.html
• http://downloads.asterisk.org/pub/security/AST-2016-001.html
• http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
• https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
• https://bugzilla.novell.com/show_bug.cgi?id=719047
• https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
• http://technet.microsoft.com/security/advisory/2588513
• http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
• http://www.ibm.com/developerworks/java/jdk/alerts/
• http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
• http://www.opera.com/docs/changelogs/mac/1151/
• http://www.opera.com/docs/changelogs/mac/1160/
• http://www.opera.com/docs/changelogs/unix/1151/
• http://www.opera.com/docs/changelogs/unix/1160/
• http://www.opera.com/docs/changelogs/windows/1151/
• http://www.opera.com/docs/changelogs/windows/1160/
• http://www.opera.com/support/kb/view/1004/
• http://www.debian.org/security/2012/dsa-2398
• http://security.gentoo.org/glsa/glsa-201203-02.xml
• http://security.gentoo.org/glsa/glsa-201406-32.xml
• https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
• http://marc.info/?l=bugtraq&m=132750579901589&w=2
• http://marc.info/?l=bugtraq&m=132872385320240&w=2
• http://marc.info/?l=bugtraq&m=133365109612558&w=2
• http://marc.info/?l=bugtraq&m=133728004526190&w=2
• http://marc.info/?l=bugtraq&m=134254866602253&w=2
• http://marc.info/?l=bugtraq&m=134254957702612&w=2
• http://ekoparty.org/2011/juliano-rizzo.php
• http://eprint.iacr.org/2004/111
• http://eprint.iacr.org/2006/136
• http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
• https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
• http://vnhacker.blogspot.com/2011/09/beast.html
• http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
• http://www.insecure.cl/Beast-SSL.rar
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
• http://technet.microsoft.com/security/bulletin/MS12-006
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
• http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
• http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
• http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
• http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
• http://osvdb.org/74829
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
• https://bugzilla.redhat.com/show_bug.cgi?id=737506
• http://rhn.redhat.com/errata/RHSA-2012-0508.html
• http://rhn.redhat.com/errata/RHSA-2013-1455.html
• http://secunia.com/advisories/45791
• http://secunia.com/advisories/47998
• http://secunia.com/advisories/48256
• http://secunia.com/advisories/48692
• http://secunia.com/advisories/48915
• http://secunia.com/advisories/48948
• http://secunia.com/advisories/49198
• http://secunia.com/advisories/55322
• http://secunia.com/advisories/55350
• http://secunia.com/advisories/55351
• http://www.securityfocus.com/bid/49388
• http://www.securityfocus.com/bid/49778
• http://www.securitytracker.com/id?1025997
• http://www.securitytracker.com/id?1026103
• http://www.securitytracker.com/id?1026704
• http://www.securitytracker.com/id/1029190
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
• https://hermes.opensuse.org/messages/13154861
• https://hermes.opensuse.org/messages/13155432
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2011-3389
• http://www.ubuntu.com/usn/USN-1263-1
• http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
• http://www.redhat.com/support/errata/RHSA-2011-1384.html
• http://www.redhat.com/support/errata/RHSA-2012-0006.html
• https://github.com/mpgn/BEAST-PoC

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45346
• https://github.com/guyinatuxedo/sqlite3_record_leaking
• https://security.netapp.com/advisory/ntap-20220303-0001/
• https://sqlite.org/forum/forumpost/056d557c2f8c452ed5
• https://sqlite.org/forum/forumpost/53de8864ba114bf6
• https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2020-15719
• https://access.redhat.com/errata/RHBA-2019:3674
• https://bugs.openldap.org/show_bug.cgi?id=9266
• https://bugzilla.redhat.com/show_bug.cgi?id=1740070
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:13 apt.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3374
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
• https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html
• https://seclists.org/fulldisclosure/2011/Sep/221
• https://snyk.io/vuln/SNYK-LINUX-APT-116518
• https://ubuntu.com/security/CVE-2011-3374
• https://access.redhat.com/security/cve/cve-2011-3374

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3832
• https://access.redhat.com/security/cve/CVE-2026-3832
• https://bugzilla.redhat.com/show_bug.cgi?id=2445762
• https://access.redhat.com/errata/RHSA-2026:13274
• https://gitlab.com/gnutls/gnutls/-/issues/1801

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0989
• https://access.redhat.com/security/cve/CVE-2026-0989
• https://bugzilla.redhat.com/show_bug.cgi?id=2429933
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/998
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-28753
• https://my.f5.com/manage/s/article/K000160367

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3949
• https://github.com/biniamf/pocs/tree/main/libheif_vvdec
• https://github.com/strukturag/libheif/
• https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03
• https://github.com/strukturag/libheif/issues/1712
• https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531
• https://vuldb.com/?ctiid.350381
• https://vuldb.com/?id.350381
• https://vuldb.com/?submit.765979

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8732
• https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
• https://vuldb.com/?ctiid.319228
• https://vuldb.com/?id.319228
• https://vuldb.com/?submit.622285

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6141
• https://invisible-island.net/ncurses/NEWS.html#index-t20250329
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html
• https://vuldb.com/?ctiid.312610
• https://vuldb.com/?id.312610
• https://vuldb.com/?submit.593000
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2011-4116
• https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
• https://rt.cpan.org/Public/Bug/Display.html?id=69106
• https://seclists.org/oss-sec/2011/q4/238
• http://www.openwall.com/lists/oss-security/2011/11/04/2
• http://www.openwall.com/lists/oss-security/2011/11/04/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40228
• https://www.openwall.com/lists/oss-security/2026/04/08/1
• http://www.openwall.com/lists/oss-security/2026/05/05/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-11731
• https://access.redhat.com/security/cve/CVE-2025-11731
• https://bugzilla.redhat.com/show_bug.cgi?id=2403688
• https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/78
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/151
• https://access.redhat.com/errata/RHSA-2026:11015

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0992
• https://access.redhat.com/security/cve/CVE-2026-0992
• https://bugzilla.redhat.com/show_bug.cgi?id=2429975
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-24515
• https://github.com/libexpat/libexpat/pull/1131

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8534
• http://www.libtiff.org/
• https://drive.google.com/file/d/15JPA3kLYiYD-nRNJ8y8HmnYjhv9NE7k6/view?usp=drive_link
• https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b
• https://gitlab.com/libtiff/libtiff/-/merge_requests/746
• https://vuldb.com/?ctiid.318664
• https://vuldb.com/?id.318664
• https://gitlab.com/libtiff/libtiff/-/issues/718
• https://vuldb.com/?submit.617831

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10966
• https://curl.se/docs/CVE-2025-10966.html
• https://curl.se/docs/CVE-2025-10966.json
• https://hackerone.com/reports/3355218
• http://www.openwall.com/lists/oss-security/2025/11/05/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13034
• https://curl.se/docs/CVE-2025-13034.html
• https://curl.se/docs/CVE-2025-13034.json

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14017
• https://curl.se/docs/CVE-2025-14017.html
• https://curl.se/docs/CVE-2025-14017.json
• http://www.openwall.com/lists/oss-security/2026/01/07/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14819
• https://curl.se/docs/CVE-2025-14819.html
• https://curl.se/docs/CVE-2025-14819.json
• http://www.openwall.com/lists/oss-security/2026/01/07/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15079
• https://curl.se/docs/CVE-2025-15079.html
• https://curl.se/docs/CVE-2025-15079.json
• https://hackerone.com/reports/3477116
• http://www.openwall.com/lists/oss-security/2026/01/07/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15224
• https://curl.se/docs/CVE-2025-15224.html
• https://curl.se/docs/CVE-2025-15224.json
• https://hackerone.com/reports/3480925
• http://www.openwall.com/lists/oss-security/2026/01/07/7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work.

An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with user1:password1 and then does another operation to the same server also using Negotiate but with user2:password2 (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...

The set of authentication methods to use is set with CURLOPT_HTTPAUTH.

Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API).

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1965
• https://curl.se/docs/CVE-2026-1965.html
• https://curl.se/docs/CVE-2026-1965.json

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3783
• https://curl.se/docs/CVE-2026-3783.html
• https://curl.se/docs/CVE-2026-3783.json
• https://hackerone.com/reports/3583983
• http://www.openwall.com/lists/oss-security/2026/03/11/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3784
• https://curl.se/docs/CVE-2026-3784.html
• https://curl.se/docs/CVE-2026-3784.json
• https://hackerone.com/reports/3584903
• http://www.openwall.com/lists/oss-security/2026/03/11/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3805
• https://curl.se/docs/CVE-2026-3805.html
• https://curl.se/docs/CVE-2026-3805.json
• https://hackerone.com/reports/3591944
• http://www.openwall.com/lists/oss-security/2026/03/11/4

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4873

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5545

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5773

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6253

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6276

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6429

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-7168

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14524
• https://curl.se/docs/CVE-2025-14524.html
• https://curl.se/docs/CVE-2025-14524.json
• https://hackerone.com/reports/3459417
• http://www.openwall.com/lists/oss-security/2026/01/07/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-59375
• https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
• https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
• https://github.com/libexpat/libexpat/issues/1018
• https://github.com/libexpat/libexpat/pull/1034
• https://issues.oss-fuzz.com/issues/439133977
• http://www.openwall.com/lists/oss-security/2025/09/16/2
• http://www.openwall.com/lists/oss-security/2026/05/01/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-41080
• https://github.com/libexpat/libexpat/issues/47
• https://github.com/libexpat/libexpat/pull/1183
• http://www.openwall.com/lists/oss-security/2026/04/26/1
• https://blog.hartwork.org/posts/expat-2-8-0-released/
• https://www.openwall.com/lists/oss-security/2026/04/26/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4046
• https://sourceware.org/bugzilla/show_bug.cgi?id=33980
• https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
• https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4437
• https://sourceware.org/bugzilla/show_bug.cgi?id=34014

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4438
• https://sourceware.org/bugzilla/show_bug.cgi?id=34015

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5435
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34033

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5928
• https://sourceware.org/bugzilla/show_bug.cgi?id=33998

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6238
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34069

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5450
• https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42009

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42012

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42013

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42014

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42015

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5260

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5419

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26461
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
• https://security.netapp.com/advisory/ntap-20240415-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40356
• https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html
• https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
• https://web.mit.edu/kerberos/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26458
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
• https://security.netapp.com/advisory/ntap-20240415-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40355
• https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
• https://web.mit.edu/kerberos/advisories/
• https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2024-38949
• https://github.com/strukturag/libde265/issues/460
• https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38949

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2024-38950
• https://github.com/strukturag/libde265/issues/460
• https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38950

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61147
• https://gist.github.com/optionGo/e6567a1c2bc4e0c9fee4e1e8be8d6af9
• https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7
• https://github.com/strukturag/libde265/issues/484

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Debian:13 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2024-2236
• https://access.redhat.com/errata/RHSA-2024:9404
• https://bugzilla.redhat.com/show_bug.cgi?id=2268268
• https://access.redhat.com/errata/RHSA-2025:3534
• https://access.redhat.com/errata/RHSA-2025:3530
• https://access.redhat.com/security/cve/CVE-2024-2236
• https://bugzilla.redhat.com/show_bug.cgi?id=2245218

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Remediation

There is no fixed version for Debian:13 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2026-41989
• https://dev.gnupg.org/T8211
• https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html
• https://www.openwall.com/lists/oss-security/2026/04/21/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

Remediation

There is no fixed version for Debian:13 libpng1.6.

References

• https://security-tracker.debian.org/tracker/CVE-2026-34757
• https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
• https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc
• https://github.com/pnggroup/libpng/issues/836
• https://github.com/pnggroup/libpng/issues/837
• https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
• https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

There is no fixed version for Debian:13 libtasn1-6.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13151
• https://gitlab.com/gnutls/libtasn1
• https://gitlab.com/gnutls/libtasn1/-/merge_requests/121
• http://www.openwall.com/lists/oss-security/2026/01/08/5
• https://www.kb.cert.org/vuls/id/271649

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 libxpm.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4367

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Remediation

There is no fixed version for Debian:13 nghttp2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27135
• https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
• https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
• http://www.openwall.com/lists/oss-security/2026/03/20/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2026-22185
• https://seclists.org/fulldisclosure/2026/Jan/5
• https://seclists.org/fulldisclosure/2026/Jan/8
• https://www.openldap.org/
• https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline
• https://bugs.openldap.org/show_bug.cgi?id=10421

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

1. resolves symlink to its target and stores the resolved path for determining when output is written,
2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

There is no fixed version for Debian:13 sed.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5958
• https://cert.pl/en/posts/2026/04/CVE-2026-5958
• https://www.gnu.org/software/sed/

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2024-56433
• https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
• https://github.com/shadow-maint/shadow/issues/1157
• https://github.com/shadow-maint/shadow/releases/tag/4.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2025-70873
• https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054
• https://sqlite.org/forum/forumpost/761eac3c82
• https://sqlite.org/src/info/3d459f1fb1bd1b5e

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2026-29111
• https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a
• https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6
• https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412
• https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd
• https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f
• https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f
• https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69
• https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6
• https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c
• https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8
• https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764