CVE coverage
Debian 11 CVE tracker
Noxen pulls Debian 11 (Bullseye) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Bullseye is in the Debian LTS phase (maintained by Freexian) through August 2026, so security backports still land — Noxen surfaces them with exact fix versions and matches against the installed source package.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (Debian + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Debian 11 host
- Reads
/etc/os-releaseover SSH to confirm the host is on Debian 11. - Reads the dpkg package list — every binary package, plus its corresponding source package via
dpkg-query --showformat='${Source}'. - Filters the local feed cache to OSV records tagged with ecosystem
Debian:11. - For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
- Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.
Live listings
Top recent critical CVEs (Debian 11 / Debian ecosystem)
Most-recently-published critical CVEs in the Debian 11 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-49261 | critical | 10.0 | MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands | mariadb | — | |
| DEBIAN-CVE-2026-9648 | critical | 9.1 | The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an atta | haskell-crypton-x509-validation | — | |
| DEBIAN-CVE-2009-10007 | critical | 9.1 | Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a s | libcatalyst-plugin-authentication-perl | — | |
| DEBIAN-CVE-2026-44631 | critical | 9.8 | Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes t | apache2 | 2.4.67-1~deb11u3 | |
| DEBIAN-CVE-2026-46185 | critical | 9.1 | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data( | linux | — | |
| DEBIAN-CVE-2013-10075 | critical | 9.1 | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being rev | libapache-session-perl | — | |
| DEBIAN-CVE-2017-20230 | critical | 10.0 | Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data | perl | 5.28.0-3 | |
| DEBIAN-CVE-2018-25223 | critical | 9.8 | Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution | crashmail | — |
Top recent high-severity CVEs (Debian 11 / Debian ecosystem)
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-44892 | high | 7.5 | netty | — | ||
| DEBIAN-CVE-2026-44890 | high | 7.5 | Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple con | netty | — | |
| DEBIAN-CVE-2026-44250 | high | 7.5 | Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested | netty | — | |
| DEBIAN-CVE-2026-44249 | high | 8.1 | Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in I | netty | — | |
| DEBIAN-CVE-2026-12034 | high | 8.3 | Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious | chromium | — | |
| DEBIAN-CVE-2026-12031 | high | 8.3 | Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security | chromium | — | |
| DEBIAN-CVE-2026-12030 | high | 8.3 | Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: | chromium | — | |
| DEBIAN-CVE-2026-12029 | high | 8.3 | Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Hig | chromium | — |
Notable
Recent CVEs Debian 11 operators should know.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
FAQ
Frequently asked about Debian 11 CVEs
Is Debian 11 still supported in 2026?
Yes — Debian 11 entered LTS in August 2024 (when regular Security Team support ended) and continues through August 2026 under Freexian's volunteer LTS programme. Paid ELTS coverage extends further. Backports are released for the same source packages the Security Tracker covers.
How do I check Debian 11 CVEs on a running host?
For a quick count: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:11 ecosystem feed.
What's the practical difference between Debian 11 and 12 for CVE coverage?
Same data source (Debian Security Tracker, mirrored through OSV). The difference is the package version set and what's been backported. A CVE fixed upstream in openssl 3.2 gets a separate Bullseye backport into the Bullseye-shipped 1.1.1 series and a Bookworm backport into 3.0. Noxen matches against the right per-release fix version automatically.
Scan a Debian 11 fleet with Noxen
Add your Debian 11 hosts via your existing
~/.ssh/config; Noxen reads dpkg state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.