Is Debian 11 still supported in 2026?

Yes — Debian 11 entered LTS in August 2024 (when regular Security Team support ended) and continues through August 2026 under Freexian's volunteer LTS programme. Paid ELTS coverage extends further. Backports are released for the same source packages the Security Tracker covers.

How do I check Debian 11 CVEs on a running host?

For a quick count: `apt list --upgradable 2>/dev/null | grep -ci security`. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:11 ecosystem feed.

What's the practical difference between Debian 11 and 12 for CVE coverage?

Same data source (Debian Security Tracker, mirrored through OSV). The difference is the package version set and what's been backported. A CVE fixed upstream in openssl 3.2 gets a separate Bullseye backport into the Bullseye-shipped 1.1.1 series and a Bookworm backport into 3.0. Noxen matches against the right per-release fix version automatically.

CVE coverage

Debian 11 CVE tracker

Noxen pulls Debian 11 (Bullseye) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Bullseye is in the Debian LTS phase (maintained by Freexian) through August 2026, so security backports still land — Noxen surfaces them with exact fix versions and matches against the installed source package.

Live

Headline numbers

Total CVE records (all distros)Loading…
Last buildLoading…
OSV records (Debian + others)Loading…
NVD records (cross-platform)Loading…

How matching works

What Noxen does for a Debian 11 host

Reads /etc/os-release over SSH to confirm the host is on Debian 11.
Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
Filters the local feed cache to OSV records tagged with ecosystem Debian:11.
For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Debian 11 / Debian ecosystem)

Most-recently-published critical CVEs in the Debian 11 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at 2026-05-16; live re-fetch on page load.

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-8580	critical	9.6	Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)	chromium	—	2026-05-14
DEBIAN-CVE-2026-8511	critical	9.6	Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)	chromium	—	2026-05-14
DEBIAN-CVE-2026-45185	critical	9.8	Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cle	exim4	4.94.2-7+deb11u5	2026-05-12
DEBIAN-CVE-2026-43515	critical	9.1	Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0	tomcat10	—	2026-05-12
DEBIAN-CVE-2026-43512	critical	9.8	DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 t	tomcat10	—	2026-05-12
DEBIAN-CVE-2026-41293	critical	9.8	Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of suppor	tomcat10	—	2026-05-12
DEBIAN-CVE-2026-6104	critical	9.1	In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns	php8.4	8.4.21-1~deb13u1	2026-05-10
DEBIAN-CVE-2026-7261	critical	9.8	In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However	php7.4	7.4.33-1+deb11u11	2026-05-10

Top recent high-severity CVEs (Debian 11 / Debian ecosystem)

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-44673	high	7.5	libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker	libyang	—	2026-05-14
DEBIAN-CVE-2026-8587	high	8.8	Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Me	chromium	—	2026-05-14
DEBIAN-CVE-2026-8581	high	8.8	Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)	chromium	—	2026-05-14
DEBIAN-CVE-2026-8577	high	8.8	Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)	chromium	—	2026-05-14
DEBIAN-CVE-2026-8575	high	8.3	Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)	chromium	—	2026-05-14
DEBIAN-CVE-2026-8574	high	8.3	Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medi	chromium	—	2026-05-14
DEBIAN-CVE-2026-8573	high	8.3	Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)	chromium	—	2026-05-14
DEBIAN-CVE-2026-8571	high	8.3	Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium securit	chromium	—	2026-05-14

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Debian 11 operators should know.

CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.

Scan a Debian 11 fleet with Noxen

Add your Debian 11 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard Debian 12 → AlmaLinux 9 →