NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010022
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850
• https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3
• https://ubuntu.com/security/CVE-2019-1010022

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-8376
• https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch
• http://www.openwall.com/lists/oss-security/2026/05/26/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2005-2541
• http://marc.info/?l=bugtraq&m=112327628230258&w=2
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E
• https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42496
• https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch
• https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes
• https://www.cve.org/CVERecord?id=CVE-2026-42497

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-25210
• https://github.com/libexpat/libexpat/pull/1075
• https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69720
• https://github.com/Cao-Wuhui/CVE-2025-69720
• https://invisible-island.net/archives/ncurses/6.5/
• https://invisible-island.net/ncurses/
• https://marc.info/?l=ncurses-bug&m=176539968328570&w=2
• https://marc.info/?l=ncurses-bug&m=176540731801330&w=2
• https://marc.info/?l=ncurses-bug&m=176545557728083&w=2
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8176
• http://www.libtiff.org/
• https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
• https://gitlab.com/libtiff/libtiff/-/issues/707
• https://gitlab.com/libtiff/libtiff/-/merge_requests/727
• https://vuldb.com/?ctiid.317590
• https://vuldb.com/?id.317590
• https://vuldb.com/?submit.621796

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8177
• http://www.libtiff.org/
• https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22
• https://gitlab.com/libtiff/libtiff/-/merge_requests/737
• https://vuldb.com/?ctiid.317591
• https://vuldb.com/?id.317591
• https://gitlab.com/libtiff/libtiff/-/issues/715
• https://vuldb.com/?submit.621797

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6276
• https://curl.se/docs/CVE-2026-6276.html
• https://curl.se/docs/CVE-2026-6276.json
• http://www.openwall.com/lists/oss-security/2026/04/29/13
• https://hackerone.com/reports/3671818

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should.

This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5773
• https://curl.se/docs/CVE-2026-5773.html
• https://curl.se/docs/CVE-2026-5773.json
• http://www.openwall.com/lists/oss-security/2026/04/29/9
• https://hackerone.com/reports/3650689

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2018-5709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709
• https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:13 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3276
• http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1238322
• http://rhn.redhat.com/errata/RHSA-2015-2131.html
• http://www.securitytracker.com/id/1034221
• https://access.redhat.com/errata/RHSA-2015:2131
• https://access.redhat.com/security/cve/CVE-2015-3276

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-17740
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
• http://www.openldap.org/its/index.cgi/Incoming?id=8759
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.

_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.

A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42497
• https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch
• https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes
• https://www.cve.org/CVERecord?id=CVE-2026-42496

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.

_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.

A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-9538
• https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch
• https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes
• http://www.openwall.com/lists/oss-security/2026/05/26/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2017-16232
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232
• http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html
• http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html
• http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html
• http://www.openwall.com/lists/oss-security/2017/11/01/11
• http://www.openwall.com/lists/oss-security/2017/11/01/3
• http://www.openwall.com/lists/oss-security/2017/11/01/7
• http://www.openwall.com/lists/oss-security/2017/11/01/8
• http://seclists.org/fulldisclosure/2018/Dec/32
• http://seclists.org/fulldisclosure/2018/Dec/47
• http://www.securityfocus.com/bid/101696

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Remediation

There is no fixed version for Debian:13 libssh2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-7598
• https://github.com/libssh2/libssh2/
• https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
• https://github.com/libssh2/libssh2/pull/1858
• https://vuldb.com/vuln/360555
• https://vuldb.com/vuln/360555/cti
• https://vuldb.com/submit/805564

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2013-0337
• http://security.gentoo.org/glsa/glsa-201310-04.xml
• http://www.openwall.com/lists/oss-security/2013/02/21/15
• http://www.openwall.com/lists/oss-security/2013/02/22/1
• http://www.openwall.com/lists/oss-security/2013/02/24/1
• http://secunia.com/advisories/55181

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61144
• https://gist.github.com/optionGo/5ad17e96a0a40f03578dd6c9f8645952
• https://gitlab.com/libtiff/libtiff/-/commit/09f53a86cf26dfd961925227e59e180db617f26d
• https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa
• https://gitlab.com/libtiff/libtiff/-/issues/740
• https://gitlab.com/libtiff/libtiff/-/merge_requests/757

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68431
• https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
• https://github.com/strukturag/libheif/releases/tag/v1.21.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials.

An application that first uses Negotiate authentication to a server with user1:password1 and then does another operation to the same server asking for any authentication method but for user2:password2 (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5545
• https://curl.se/docs/CVE-2026-5545.html
• https://curl.se/docs/CVE-2026-5545.json
• https://hackerone.com/reports/3642555

NVD Description

Note: Versions mentioned in the description apply only to the upstream jbigkit package and not the jbigkit package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

Remediation

There is no fixed version for Debian:13 jbigkit.

References

• https://security-tracker.debian.org/tracker/CVE-2017-9937
• http://bugzilla.maptools.org/show_bug.cgi?id=2707
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://www.securityfocus.com/bid/99304
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9937
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42946
• https://my.f5.com/manage/s/article/K000161027

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1210
• https://gitlab.com/libtiff/libtiff/-/issues/402
• https://gitlab.com/libtiff/libtiff/uploads/c3da94e53cf1e1e8e6d4d3780dc8c42f/example.tiff
• https://security.gentoo.org/glsa/202210-10
• https://security.netapp.com/advisory/ntap-20220513-0005/
• https://vuldb.com/?id.196363

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2018-10126
• http://bugzilla.maptools.org/show_bug.cgi?id=2786
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10126
• https://gitlab.com/libtiff/libtiff/-/issues/128
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2009-4487
• http://www.securityfocus.com/archive/1/508830/100/0/threaded
• http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
• http://www.securityfocus.com/bid/37711

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1757
• https://access.redhat.com/security/cve/CVE-2026-1757
• https://bugzilla.redhat.com/show_bug.cgi?id=2435940
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2007-5686
• http://www.securityfocus.com/archive/1/482129/100/100/threaded
• http://www.securityfocus.com/archive/1/482857/100/0/threaded
• https://issues.rpath.com/browse/RPL-1825
• http://secunia.com/advisories/27215
• http://www.securityfocus.com/bid/26048
• http://www.vupen.com/english/advisories/2007/3474

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14104
• https://access.redhat.com/security/cve/CVE-2025-14104
• https://bugzilla.redhat.com/show_bug.cgi?id=2419369
• https://access.redhat.com/errata/RHSA-2026:1696
• https://access.redhat.com/errata/RHSA-2026:1852
• https://access.redhat.com/errata/RHSA-2026:1913
• https://access.redhat.com/errata/RHSA-2026:2485
• https://access.redhat.com/errata/RHSA-2026:2563
• https://access.redhat.com/errata/RHSA-2026:2737
• https://access.redhat.com/errata/RHSA-2026:2800
• https://access.redhat.com/errata/RHSA-2026:3406
• https://access.redhat.com/errata/RHSA-2026:4943
• https://access.redhat.com/errata/RHSA-2026:7180

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0990
• https://access.redhat.com/security/cve/CVE-2026-0990
• https://bugzilla.redhat.com/show_bug.cgi?id=2429959
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32777
• https://github.com/libexpat/libexpat/issues/1161
• https://github.com/libexpat/libexpat/pull/1159
• https://github.com/libexpat/libexpat/pull/1162
• https://issues.oss-fuzz.com/issues/486993411

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32776
• https://github.com/libexpat/libexpat/pull/1158
• https://github.com/libexpat/libexpat/pull/1159

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32778
• https://github.com/libexpat/libexpat/pull/1159
• https://github.com/libexpat/libexpat/pull/1163

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

Remediation

There is no fixed version for Debian:13 libpng1.6.

References

• https://security-tracker.debian.org/tracker/CVE-2021-4214
• https://access.redhat.com/security/cve/CVE-2021-4214
• https://bugzilla.redhat.com/show_bug.cgi?id=2043393
• https://github.com/glennrp/libpng/issues/302
• https://security.netapp.com/advisory/ntap-20221020-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10911
• https://access.redhat.com/security/cve/CVE-2025-10911
• https://bugzilla.redhat.com/show_bug.cgi?id=2397838
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
• https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77
• https://access.redhat.com/errata/RHSA-2026:11015

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for Debian:13 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5704
• https://access.redhat.com/security/cve/CVE-2026-5704
• https://bugzilla.redhat.com/show_bug.cgi?id=2455360
• http://www.openwall.com/lists/oss-security/2026/04/11/10
• http://www.openwall.com/lists/oss-security/2026/04/11/11
• http://www.openwall.com/lists/oss-security/2026/04/12/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61143
• https://gist.github.com/optionGo/9c024cd8e7b131463b84dc60af9bb0aa
• https://gitlab.com/libtiff/libtiff/-/issues/737
• https://gitlab.com/libtiff/libtiff/-/merge_requests/755

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0563
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u
• https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
• https://security.gentoo.org/glsa/202401-08
• https://security.netapp.com/advisory/ntap-20220331-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Remediation

There is no fixed version for Debian:13 zlib.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27171
• https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
• https://github.com/madler/zlib/releases/tag/v1.3.2
• https://ostif.org/zlib-audit-complete/
• https://github.com/madler/zlib/issues/904
• https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-7168
• https://curl.se/docs/CVE-2026-7168.html
• https://curl.se/docs/CVE-2026-7168.json
• http://www.openwall.com/lists/oss-security/2026/04/29/14
• https://hackerone.com/reports/3697719

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22852
• http://www.securityfocus.com/bid/109162
• https://ubuntu.com/security/CVE-2019-1010024
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://ubuntu.com/security/CVE-2019-1010025
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Remediation

There is no fixed version for Debian:13 libpng1.6.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3713
• https://github.com/biniamf/pocs/tree/main/pnm2png
• https://github.com/pnggroup/libpng/
• https://github.com/pnggroup/libpng/issues/794
• https://vuldb.com/?ctiid.349658
• https://vuldb.com/?id.349658
• https://vuldb.com/?submit.761996

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2015-9019
• https://bugzilla.gnome.org/show_bug.cgi?id=758400
• https://bugzilla.suse.com/show_bug.cgi?id=934119
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-9019

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31439
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28885
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31438
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/pull/28886
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31437
• https://github.com/kastel-security/Journald
• https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf
• https://github.com/systemd/systemd/releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3184
• https://access.redhat.com/errata/RHSA-2026:7180
• https://access.redhat.com/security/cve/CVE-2026-3184
• https://bugzilla.redhat.com/show_bug.cgi?id=2442570

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Remediation

There is no fixed version for Debian:13 xz-utils.

References

• https://security-tracker.debian.org/tracker/CVE-2026-34743
• https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
• https://github.com/tukaani-project/xz/releases/tag/v5.8.3
• https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv
• http://www.openwall.com/lists/oss-security/2026/03/31/13

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61145
• https://gist.github.com/optionGo/062f109569196dbffd8ac12020b42289
• https://gitlab.com/libtiff/libtiff/-/issues/736
• https://gitlab.com/libtiff/libtiff/-/merge_requests/753

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2017-18018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018
• http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-14159
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14159
• http://www.openldap.org/its/index.cgi?findid=8703
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14159
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for Debian:13 coreutils.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5278
• https://access.redhat.com/security/cve/CVE-2025-5278
• https://bugzilla.redhat.com/show_bug.cgi?id=2368764
• http://www.openwall.com/lists/oss-security/2025/05/27/2
• http://www.openwall.com/lists/oss-security/2025/05/29/1
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14
• http://www.openwall.com/lists/oss-security/2025/05/29/2
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507
• https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2013-4392
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357
• http://www.openwall.com/lists/oss-security/2013/10/01/9
• https://bugzilla.redhat.com/show_bug.cgi?id=859060

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2010-4756
• http://cxib.net/stuff/glob-0day.c
• http://securityreason.com/achievement_securityalert/89
• http://securityreason.com/exploitalert/9223
• https://bugzilla.redhat.com/show_bug.cgi?id=681681
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756
• https://security.netapp.com/advisory/ntap-20241108-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Remediation

There is no fixed version for Debian:13 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3389
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
• http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
• http://support.apple.com/kb/HT4999
• http://support.apple.com/kb/HT5001
• http://support.apple.com/kb/HT5130
• http://support.apple.com/kb/HT5281
• http://support.apple.com/kb/HT5501
• http://support.apple.com/kb/HT6150
• http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
• http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
• http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
• http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
• http://www.us-cert.gov/cas/techalerts/TA12-010A.html
• http://www.kb.cert.org/vuls/id/864643
• http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
• http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
• http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
• http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
• http://curl.haxx.se/docs/adv_20120124B.html
• http://downloads.asterisk.org/pub/security/AST-2016-001.html
• http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
• https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
• https://bugzilla.novell.com/show_bug.cgi?id=719047
• https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
• http://technet.microsoft.com/security/advisory/2588513
• http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
• http://www.ibm.com/developerworks/java/jdk/alerts/
• http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
• http://www.opera.com/docs/changelogs/mac/1151/
• http://www.opera.com/docs/changelogs/mac/1160/
• http://www.opera.com/docs/changelogs/unix/1151/
• http://www.opera.com/docs/changelogs/unix/1160/
• http://www.opera.com/docs/changelogs/windows/1151/
• http://www.opera.com/docs/changelogs/windows/1160/
• http://www.opera.com/support/kb/view/1004/
• http://www.debian.org/security/2012/dsa-2398
• http://security.gentoo.org/glsa/glsa-201203-02.xml
• http://security.gentoo.org/glsa/glsa-201406-32.xml
• https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
• http://marc.info/?l=bugtraq&m=132750579901589&w=2
• http://marc.info/?l=bugtraq&m=132872385320240&w=2
• http://marc.info/?l=bugtraq&m=133365109612558&w=2
• http://marc.info/?l=bugtraq&m=133728004526190&w=2
• http://marc.info/?l=bugtraq&m=134254866602253&w=2
• http://marc.info/?l=bugtraq&m=134254957702612&w=2
• http://ekoparty.org/2011/juliano-rizzo.php
• http://eprint.iacr.org/2004/111
• http://eprint.iacr.org/2006/136
• http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
• https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
• http://vnhacker.blogspot.com/2011/09/beast.html
• http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
• http://www.insecure.cl/Beast-SSL.rar
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
• http://technet.microsoft.com/security/bulletin/MS12-006
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
• http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
• http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
• http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
• http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
• http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
• http://osvdb.org/74829
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
• https://bugzilla.redhat.com/show_bug.cgi?id=737506
• http://rhn.redhat.com/errata/RHSA-2012-0508.html
• http://rhn.redhat.com/errata/RHSA-2013-1455.html
• http://secunia.com/advisories/45791
• http://secunia.com/advisories/47998
• http://secunia.com/advisories/48256
• http://secunia.com/advisories/48692
• http://secunia.com/advisories/48915
• http://secunia.com/advisories/48948
• http://secunia.com/advisories/49198
• http://secunia.com/advisories/55322
• http://secunia.com/advisories/55350
• http://secunia.com/advisories/55351
• http://www.securityfocus.com/bid/49388
• http://www.securityfocus.com/bid/49778
• http://www.securitytracker.com/id?1025997
• http://www.securitytracker.com/id?1026103
• http://www.securitytracker.com/id?1026704
• http://www.securitytracker.com/id/1029190
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
• https://hermes.opensuse.org/messages/13154861
• https://hermes.opensuse.org/messages/13155432
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2011-3389
• http://www.ubuntu.com/usn/USN-1263-1
• http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
• http://www.redhat.com/support/errata/RHSA-2011-1384.html
• http://www.redhat.com/support/errata/RHSA-2012-0006.html
• https://github.com/mpgn/BEAST-PoC

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45346
• https://github.com/guyinatuxedo/sqlite3_record_leaking
• https://security.netapp.com/advisory/ntap-20220303-0001/
• https://sqlite.org/forum/forumpost/056d557c2f8c452ed5
• https://sqlite.org/forum/forumpost/53de8864ba114bf6
• https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2020-15719
• https://access.redhat.com/errata/RHBA-2019:3674
• https://bugs.openldap.org/show_bug.cgi?id=9266
• https://bugzilla.redhat.com/show_bug.cgi?id=1740070
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:13 apt.

References

• https://security-tracker.debian.org/tracker/CVE-2011-3374
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
• https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html
• https://seclists.org/fulldisclosure/2011/Sep/221
• https://snyk.io/vuln/SNYK-LINUX-APT-116518
• https://ubuntu.com/security/CVE-2011-3374
• https://access.redhat.com/security/cve/cve-2011-3374

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0989
• https://access.redhat.com/security/cve/CVE-2026-0989
• https://bugzilla.redhat.com/show_bug.cgi?id=2429933
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/998
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3949
• https://github.com/biniamf/pocs/tree/main/libheif_vvdec
• https://github.com/strukturag/libheif/
• https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03
• https://github.com/strukturag/libheif/issues/1712
• https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531
• https://vuldb.com/?ctiid.350381
• https://vuldb.com/?id.350381
• https://vuldb.com/?submit.765979

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8732
• https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
• https://vuldb.com/?ctiid.319228
• https://vuldb.com/?id.319228
• https://vuldb.com/?submit.622285
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:13 ncurses.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6141
• https://invisible-island.net/ncurses/NEWS.html#index-t20250329
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html
• https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00114.html
• https://vuldb.com/?ctiid.312610
• https://vuldb.com/?id.312610
• https://vuldb.com/?submit.593000
• https://www.gnu.org/
• https://cert-portal.siemens.com/productcert/html/ssa-089022.html
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2011-4116
• https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
• https://rt.cpan.org/Public/Bug/Display.html?id=69106
• https://seclists.org/oss-sec/2011/q4/238
• http://www.openwall.com/lists/oss-security/2011/11/04/2
• http://www.openwall.com/lists/oss-security/2011/11/04/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Remediation

There is no fixed version for Debian:13 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40228
• https://www.openwall.com/lists/oss-security/2026/04/08/1
• http://www.openwall.com/lists/oss-security/2026/05/05/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Remediation

There is no fixed version for Debian:13 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-11731
• https://access.redhat.com/security/cve/CVE-2025-11731
• https://bugzilla.redhat.com/show_bug.cgi?id=2403688
• https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/78
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/151
• https://access.redhat.com/errata/RHSA-2026:11015

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Remediation

There is no fixed version for Debian:13 libxml2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-0992
• https://access.redhat.com/security/cve/CVE-2026-0992
• https://bugzilla.redhat.com/show_bug.cgi?id=2429975
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
• https://access.redhat.com/errata/RHSA-2026:7519

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-24515
• https://github.com/libexpat/libexpat/pull/1131
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."

Remediation

There is no fixed version for Debian:13 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-8534
• http://www.libtiff.org/
• https://drive.google.com/file/d/15JPA3kLYiYD-nRNJ8y8HmnYjhv9NE7k6/view?usp=drive_link
• https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b
• https://gitlab.com/libtiff/libtiff/-/merge_requests/746
• https://vuldb.com/?ctiid.318664
• https://vuldb.com/?id.318664
• https://gitlab.com/libtiff/libtiff/-/issues/718
• https://vuldb.com/?submit.617831

NVD Description

Note: Versions mentioned in the description apply only to the upstream bzip2 package and not the bzip2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).

This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

Remediation

There is no fixed version for Debian:13 bzip2.

References

• https://security-tracker.debian.org/tracker/CVE-2026-42250
• https://cert.pl/en/posts/2026/05/CVE-2026-42250/
• https://sourceware.org/bzip2/
• https://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/
• https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10966
• https://curl.se/docs/CVE-2025-10966.json
• https://hackerone.com/reports/3355218
• https://curl.se/docs/CVE-2025-10966.html
• http://www.openwall.com/lists/oss-security/2025/11/05/2
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14017
• https://curl.se/docs/CVE-2025-14017.html
• https://curl.se/docs/CVE-2025-14017.json
• http://www.openwall.com/lists/oss-security/2026/01/07/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14819
• https://curl.se/docs/CVE-2025-14819.html
• https://curl.se/docs/CVE-2025-14819.json
• http://www.openwall.com/lists/oss-security/2026/01/07/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15079
• https://curl.se/docs/CVE-2025-15079.html
• https://curl.se/docs/CVE-2025-15079.json
• https://hackerone.com/reports/3477116
• http://www.openwall.com/lists/oss-security/2026/01/07/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15224
• https://curl.se/docs/CVE-2025-15224.html
• https://curl.se/docs/CVE-2025-15224.json
• https://hackerone.com/reports/3480925
• http://www.openwall.com/lists/oss-security/2026/01/07/7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work.

An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with user1:password1 and then does another operation to the same server also using Negotiate but with user2:password2 (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...

The set of authentication methods to use is set with CURLOPT_HTTPAUTH.

Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API).

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1965
• https://curl.se/docs/CVE-2026-1965.html
• https://curl.se/docs/CVE-2026-1965.json

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3783
• https://curl.se/docs/CVE-2026-3783.html
• https://curl.se/docs/CVE-2026-3783.json
• https://hackerone.com/reports/3583983
• http://www.openwall.com/lists/oss-security/2026/03/11/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3784
• https://curl.se/docs/CVE-2026-3784.html
• https://curl.se/docs/CVE-2026-3784.json
• https://hackerone.com/reports/3584903
• http://www.openwall.com/lists/oss-security/2026/03/11/3
• https://cert-portal.siemens.com/productcert/html/ssa-253495.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-3805
• https://curl.se/docs/CVE-2026-3805.html
• https://curl.se/docs/CVE-2026-3805.json
• https://hackerone.com/reports/3591944
• http://www.openwall.com/lists/oss-security/2026/03/11/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6429
• https://curl.se/docs/CVE-2026-6429.html
• https://curl.se/docs/CVE-2026-6429.json
• https://hackerone.com/reports/3677759

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4873
• https://curl.se/docs/CVE-2026-4873.html
• https://curl.se/docs/CVE-2026-4873.json
• https://hackerone.com/reports/3621851
• http://www.openwall.com/lists/oss-security/2026/04/29/7

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

curl might erroneously pass on credentials for a first proxy to a second proxy.

This can happen when the following conditions are true:

1. curl is setup to use specific different proxies for different URL schemes
2. the first proxy needs credentials
3. the second proxy uses no credentials
4. while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6253
• https://curl.se/docs/CVE-2026-6253.html
• https://curl.se/docs/CVE-2026-6253.json
• http://www.openwall.com/lists/oss-security/2026/04/29/11
• https://hackerone.com/reports/3669637

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

There is no fixed version for Debian:13 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14524
• https://curl.se/docs/CVE-2025-14524.html
• https://curl.se/docs/CVE-2025-14524.json
• https://hackerone.com/reports/3459417
• http://www.openwall.com/lists/oss-security/2026/01/07/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2025-59375
• https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
• https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
• https://github.com/libexpat/libexpat/issues/1018
• https://github.com/libexpat/libexpat/pull/1034
• https://issues.oss-fuzz.com/issues/439133977
• http://www.openwall.com/lists/oss-security/2025/09/16/2
• http://www.openwall.com/lists/oss-security/2026/05/01/5
• https://cert-portal.siemens.com/productcert/html/ssa-082556.html
• https://cert-portal.siemens.com/productcert/html/ssa-089022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Remediation

There is no fixed version for Debian:13 expat.

References

• https://security-tracker.debian.org/tracker/CVE-2026-41080
• https://github.com/libexpat/libexpat/issues/47
• https://github.com/libexpat/libexpat/pull/1183
• http://www.openwall.com/lists/oss-security/2026/04/26/1
• https://blog.hartwork.org/posts/expat-2-8-0-released/
• https://www.openwall.com/lists/oss-security/2026/04/26/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5435
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34033

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5928
• https://sourceware.org/bugzilla/show_bug.cgi?id=33998

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-6238
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=34069

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Remediation

There is no fixed version for Debian:13 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2026-5450
• https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u
• https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26461
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
• https://security.netapp.com/advisory/ntap-20240415-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

Remediation

Upgrade Debian:13 krb5 to version 1.21.3-5+deb13u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40356
• https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html
• https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
• https://web.mit.edu/kerberos/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

There is no fixed version for Debian:13 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2024-26458
• https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
• https://security.netapp.com/advisory/ntap-20240415-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

Remediation

Upgrade Debian:13 krb5 to version 1.21.3-5+deb13u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-40355
• https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
• https://web.mit.edu/kerberos/advisories/
• https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2024-38949
• https://github.com/strukturag/libde265/issues/460
• https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38949

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2024-38950
• https://github.com/strukturag/libde265/issues/460
• https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38950

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().

Remediation

There is no fixed version for Debian:13 libde265.

References

• https://security-tracker.debian.org/tracker/CVE-2025-61147
• https://gist.github.com/optionGo/e6567a1c2bc4e0c9fee4e1e8be8d6af9
• https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7
• https://github.com/strukturag/libde265/issues/484

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Debian:13 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2024-2236
• https://access.redhat.com/errata/RHSA-2024:9404
• https://bugzilla.redhat.com/show_bug.cgi?id=2268268
• https://access.redhat.com/errata/RHSA-2025:3534
• https://access.redhat.com/errata/RHSA-2025:3530
• https://access.redhat.com/security/cve/CVE-2024-2236
• https://bugzilla.redhat.com/show_bug.cgi?id=2245218

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Remediation

Upgrade Debian:13 libgcrypt20 to version 1.11.0-7+deb13u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2026-41989
• https://dev.gnupg.org/T8211
• https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html
• https://www.openwall.com/lists/oss-security/2026/04/21/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-41069
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32741
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-j3w5-7whq-p37q

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32814
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32739
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32882
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0.

Remediation

There is no fixed version for Debian:13 libheif.

References

• https://security-tracker.debian.org/tracker/CVE-2026-32740
• https://github.com/strukturag/libheif/releases/tag/v1.22.0
• https://github.com/strukturag/libheif/security/advisories/GHSA-frfr-f3vg-2g6j

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

There is no fixed version for Debian:13 libtasn1-6.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13151
• https://gitlab.com/gnutls/libtasn1
• https://gitlab.com/gnutls/libtasn1/-/merge_requests/121
• http://www.openwall.com/lists/oss-security/2026/01/08/5
• https://www.kb.cert.org/vuls/id/271649

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 libxpm.

References

• https://security-tracker.debian.org/tracker/CVE-2026-4367

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for Debian:13 nginx.

References

• https://security-tracker.debian.org/tracker/CVE-2026-9256

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.

Remediation

There is no fixed version for Debian:13 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2026-22185
• https://seclists.org/fulldisclosure/2026/Jan/5
• https://seclists.org/fulldisclosure/2026/Jan/8
• https://www.openldap.org/
• https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline
• https://bugs.openldap.org/show_bug.cgi?id=10421

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date.

_dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die.

The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2025-15649
• https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch
• https://github.com/pmqs/IO-Compress/issues/65
• https://metacpan.org/release/PMQS/IO-Compress-2.215/changes
• http://www.openwall.com/lists/oss-security/2026/05/27/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.

fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.

Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-48959
• https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch
• https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
• http://www.openwall.com/lists/oss-security/2026/05/27/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.

When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.

Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-48961
• https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch
• https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
• http://www.openwall.com/lists/oss-security/2026/05/27/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-48962
• https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
• https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
• http://www.openwall.com/lists/oss-security/2026/05/27/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

Remediation

There is no fixed version for Debian:13 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2026-7010
• https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch
• https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes
• http://www.openwall.com/lists/oss-security/2026/05/11/17

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Debian:13 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2024-56433
• https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
• https://github.com/shadow-maint/shadow/issues/1157
• https://github.com/shadow-maint/shadow/releases/tag/4.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

• https://security-tracker.debian.org/tracker/CVE-2025-70873
• https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054
• https://sqlite.org/forum/forumpost/761eac3c82
• https://sqlite.org/src/info/3d459f1fb1bd1b5e

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2026-27456
• https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4
• https://github.com/util-linux/util-linux/releases/tag/v2.41.4
• https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g