CVE coverage
Debian 13 CVE tracker
Noxen pulls Debian 13 (Trixie) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Records are deduped against NVD and shipped in a signed snapshot, rebuilt daily.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (Debian + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Debian 13 host
- Reads
/etc/os-releaseover SSH to confirm the host is on Debian 13. - Reads the dpkg package list — every binary package, plus its corresponding source package via
dpkg-query --showformat='${Source}'. - Filters the local feed cache to OSV records tagged with ecosystem
Debian:13. - For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
- Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.
Live listings
Top recent critical CVEs (Debian 13 / Debian ecosystem)
Most-recently-published critical CVEs in the Debian 13 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-11526 | critical | 9.8 | GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that | libgd-perl | — | |
| DEBIAN-CVE-2026-47691 | critical | 10.0 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache | netty | — | |
| DEBIAN-CVE-2026-45674 | critical | 10.0 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses | netty | — | |
| DEBIAN-CVE-2026-12027 | critical | 9.6 | Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severit | chromium | — | |
| DEBIAN-CVE-2026-49261 | critical | 10.0 | MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands | mariadb | — | |
| DEBIAN-CVE-2026-9648 | critical | 9.1 | The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an atta | haskell-crypton-x509-validation | — | |
| DEBIAN-CVE-2026-34182 | critical | 9.1 | Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Atta | openssl | 3.0.20-1~deb12u2 | |
| DEBIAN-CVE-2026-46325 | critical | 9.8 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the | linux | — |
Top recent high-severity CVEs (Debian 13 / Debian ecosystem)
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-47261 | high | 7.5 | Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the | rust-wasmtime | — | |
| DEBIAN-CVE-2026-53705 | high | 7.6 | A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() | gst-plugins-good1.0 | — | |
| DEBIAN-CVE-2026-53704 | high | 7.1 | A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re | gst-plugins-ugly1.0 | — | |
| DEBIAN-CVE-2026-53703 | high | 7.1 | A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, | gst-plugins-ugly1.0 | — | |
| DEBIAN-CVE-2026-52722 | high | 7.1 | A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds rea | gst-plugins-bad1.0 | — | |
| DEBIAN-CVE-2026-52720 | high | 8.8 | A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends | gst-plugins-bad1.0 | — | |
| DEBIAN-CVE-2026-52719 | high | 7.1 | An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick | gst-plugins-bad1.0 | — | |
| DEBIAN-CVE-2026-11527 | high | 8.6 | Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg o | libconfig-inifiles-perl | — |
Notable
Recent CVEs Debian 13 operators should know.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
- CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Debian advisory · Noxen deep-dive.
FAQ
Frequently asked about Debian 13 CVEs
How many CVEs affect Debian 13?
Debian 13 (Trixie) is filtered out of the broader Debian ecosystem feed by ecosystem tag (Debian:13). Live counts appear at the top of this page; the underlying feed is rebuilt daily.
How do I check Debian 13 CVEs on a running host?
For a quick check: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.
Where does the Debian 13 data come from?
Upstream is the Debian Security Tracker, which OSV.dev ingests and republishes in a normalised ecosystem feed. Noxen consumes the OSV feed, dedupes against NVD, and publishes signed daily snapshots.
Scan a Debian 13 fleet with Noxen
Add your Debian 13 hosts via your existing
~/.ssh/config; Noxen reads dpkg state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.