CVE coverage
Debian 11 CVE tracker
Noxen pulls Debian 11 (Bullseye) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Bullseye is in the Debian LTS phase (maintained by Freexian) through August 2026, so security backports still land — Noxen surfaces them with exact fix versions and matches against the installed source package.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (Debian + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Debian 11 host
- Reads
/etc/os-releaseover SSH to confirm the host is on Debian 11. - Reads the dpkg package list — every binary package, plus its corresponding source package via
dpkg-query --showformat='${Source}'. - Filters the local feed cache to OSV records tagged with ecosystem
Debian:11. - For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
- Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.
Live listings
Top recent critical CVEs (Debian 11 / Debian ecosystem)
Most-recently-published critical CVEs in the Debian 11 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-11293 | critical | 9.6 | Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | chromium | — | |
| DEBIAN-CVE-2026-11282 | critical | 9.6 | Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | chromium | — | |
| DEBIAN-CVE-2026-11250 | critical | 9.6 | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Ch | chromium | — | |
| DEBIAN-CVE-2026-11213 | critical | 9.6 | Insufficient validation of untrusted input in Reading Mode in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium | chromium | — | |
| DEBIAN-CVE-2026-11207 | critical | 9.6 | Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium) | chromium | — | |
| DEBIAN-CVE-2026-11198 | critical | 9.6 | Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium) | chromium | — | |
| DEBIAN-CVE-2026-11167 | critical | 9.6 | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium securit | chromium | — | |
| DEBIAN-CVE-2026-11165 | critical | 9.6 | Use after free in WebMIDI in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | chromium | — |
Top recent high-severity CVEs (Debian 11 / Debian ecosystem)
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-45300 | high | 7.4 | The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cro | async-http-client | — | |
| DEBIAN-CVE-2026-48095 | high | 8.8 | 7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing atta | 7zip | — | |
| DEBIAN-CVE-2026-50264 | high | 7.8 | An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap | xorg-server | — | |
| DEBIAN-CVE-2026-50261 | high | 7.8 | A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing | xorg-server | — | |
| DEBIAN-CVE-2026-50260 | high | 7.8 | A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client co | xorg-server | — | |
| DEBIAN-CVE-2026-50259 | high | 7.8 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a | xorg-server | — | |
| DEBIAN-CVE-2026-50258 | high | 7.8 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMax | xorg-server | — | |
| DEBIAN-CVE-2026-50257 | high | 7.8 | A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set u | xorg-server | — |
Notable
Recent CVEs Debian 11 operators should know.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
FAQ
Frequently asked about Debian 11 CVEs
Is Debian 11 still supported in 2026?
Yes — Debian 11 entered LTS in August 2024 (when regular Security Team support ended) and continues through August 2026 under Freexian's volunteer LTS programme. Paid ELTS coverage extends further. Backports are released for the same source packages the Security Tracker covers.
How do I check Debian 11 CVEs on a running host?
For a quick count: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:11 ecosystem feed.
What's the practical difference between Debian 11 and 12 for CVE coverage?
Same data source (Debian Security Tracker, mirrored through OSV). The difference is the package version set and what's been backported. A CVE fixed upstream in openssl 3.2 gets a separate Bullseye backport into the Bullseye-shipped 1.1.1 series and a Bookworm backport into 3.0. Noxen matches against the right per-release fix version automatically.
Scan a Debian 11 fleet with Noxen
Add your Debian 11 hosts via your existing
~/.ssh/config; Noxen reads dpkg state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.