CVE coverage

Debian 13 CVE tracker

Q: How do I check Debian 13 CVEs on a running host?

For a quick check: `apt list --upgradable 2>/dev/null | grep -ci security`. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.

Noxen pulls Debian 13 (Trixie) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Records are deduped against NVD and shipped in a signed snapshot, rebuilt daily.

Live

Headline numbers

Total CVE records (all distros)Loading…
Last buildLoading…
OSV records (Debian + others)Loading…
NVD records (cross-platform)Loading…

How matching works

What Noxen does for a Debian 13 host

Reads /etc/os-release over SSH to confirm the host is on Debian 13.
Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
Filters the local feed cache to OSV records tagged with ecosystem Debian:13.
For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Debian 13 / Debian ecosystem)

Most-recently-published critical CVEs in the Debian 13 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at 2026-06-12; live re-fetch on page load.

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-49261	critical	10.0	MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands	mariadb	—	2026-06-11
DEBIAN-CVE-2026-9648	critical	9.1	The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an atta	haskell-crypton-x509-validation	—	2026-06-11
DEBIAN-CVE-2009-10007	critical	9.1	Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a s	libcatalyst-plugin-authentication-perl	—	2026-06-09
DEBIAN-CVE-2026-44631	critical	9.8	Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes t	apache2	2.4.67-1~deb11u3	2026-06-08
DEBIAN-CVE-2026-46185	critical	9.1	In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data(	linux	—	2026-05-28
DEBIAN-CVE-2013-10075	critical	9.1	Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being rev	libapache-session-perl	—	2026-05-08
DEBIAN-CVE-2017-20230	critical	10.0	Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data	perl	5.28.0-3	2026-04-21
DEBIAN-CVE-2018-25223	critical	9.8	Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution	crashmail	—	2026-03-28

Top recent high-severity CVEs (Debian 13 / Debian ecosystem)

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-44892	high	7.5		netty	—	2026-06-12
DEBIAN-CVE-2026-44890	high	7.5	Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple con	netty	—	2026-06-11
DEBIAN-CVE-2026-44250	high	7.5	Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested	netty	—	2026-06-11
DEBIAN-CVE-2026-44249	high	8.1	Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in I	netty	—	2026-06-11
DEBIAN-CVE-2026-12034	high	8.3	Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious	chromium	—	2026-06-11
DEBIAN-CVE-2026-12031	high	8.3	Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security	chromium	—	2026-06-11
DEBIAN-CVE-2026-12030	high	8.3	Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity:	chromium	—	2026-06-11
DEBIAN-CVE-2026-12029	high	8.3	Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Hig	chromium	—	2026-06-11

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Debian 13 operators should know.

CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Debian advisory · Noxen deep-dive.

FAQ

Frequently asked about Debian 13 CVEs

How many CVEs affect Debian 13?

Debian 13 (Trixie) is filtered out of the broader Debian ecosystem feed by ecosystem tag (Debian:13). Live counts appear at the top of this page; the underlying feed is rebuilt daily.

How do I check Debian 13 CVEs on a running host?

For a quick check: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.

Where does the Debian 13 data come from?

Upstream is the Debian Security Tracker, which OSV.dev ingests and republishes in a normalised ecosystem feed. Noxen consumes the OSV feed, dedupes against NVD, and publishes signed daily snapshots.

Scan a Debian 13 fleet with Noxen

Add your Debian 13 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard Ubuntu 20.04 → Debian 12 →