CVE coverage
Debian 11 CVE tracker
Noxen pulls Debian 11 (Bullseye) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Bullseye is in the Debian LTS phase (maintained by Freexian) through August 2026, so security backports still land — Noxen surfaces them with exact fix versions and matches against the installed source package.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (Debian + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Debian 11 host
- Reads
/etc/os-releaseover SSH to confirm the host is on Debian 11. - Reads the dpkg package list — every binary package, plus its corresponding source package via
dpkg-query --showformat='${Source}'. - Filters the local feed cache to OSV records tagged with ecosystem
Debian:11. - For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
- Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.
Live listings
Top recent critical CVEs (Debian 11 / Debian ecosystem)
Most-recently-published critical CVEs in the Debian 11 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-53309 | critical | 9.8 | In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past | linux | — | |
| DEBIAN-CVE-2026-48930 | critical | 9.8 | A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **No | nodejs | — | |
| DEBIAN-CVE-2026-7531 | critical | 9.8 | Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operat | wolfssl | — | |
| DEBIAN-CVE-2026-56786 | critical | 9.8 | RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacke | rtklib | — | |
| DEBIAN-CVE-2026-6094 | critical | 9.1 | Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS. | wolfssl | — | |
| DEBIAN-CVE-2026-56123 | critical | 9.8 | socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. Duri | socat | — | |
| DEBIAN-CVE-2026-53260 | critical | 9.8 | In the Linux kernel, the following vulnerability has been resolved: tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). syzbot reported a weird reqsk->rsk_refcnt underflow in __inet_csk_reqsk_queue_drop(). The captured | linux | — | |
| DEBIAN-CVE-2026-53247 | critical | 9.8 | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, by | linux | 6.12.94-1 |
Top recent high-severity CVEs (Debian 11 / Debian ecosystem)
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-13500 | high | 7.3 | A weakness has been identified in antlr ANTLR4 up to 4.13.2. Affected is an unknown function of the file tool/src/org/antlr/v4/codegen/model/OutputFile.java of the component Grammar Action Block Handler. Executing a manipulation can lead to | antlr4 | — | |
| DEBIAN-CVE-2026-58050 | high | 7.0 | libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the | libssh2 | — | |
| DEBIAN-CVE-2026-58049 | high | 8.6 | FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 | ffmpeg | — | |
| DEBIAN-CVE-2026-53322 | high | 8.8 | In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Clean up DMABUFs before disabling function On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled | linux | 7.0.10-1 | |
| DEBIAN-CVE-2026-53300 | high | 7.8 | In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix NTMP DMA use-after-free issue The AI-generated review reported a potential DMA use-after-free issue [1]. If netc_xmit_ntmp_cmd() times out and returns an | linux | 7.0.10-1 | |
| DEBIAN-CVE-2026-53290 | high | 7.8 | In the Linux kernel, the following vulnerability has been resolved: drm/xe/eustall: Fix drm_dev_put called before stream disable in close In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resourc | linux | 7.0.10-1 | |
| DEBIAN-CVE-2026-53284 | high | 7.5 | In the Linux kernel, the following vulnerability has been resolved: btrfs: only release the dirty pages io tree after successful writes [WARNING] With extra warning on dirty extent buffers at umount (aka, the next patch in the series), te | linux | — | |
| DEBIAN-CVE-2026-53281 | high | 8.8 | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereferenc | linux | — |
Notable
Recent CVEs Debian 11 operators should know.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
FAQ
Frequently asked about Debian 11 CVEs
Is Debian 11 still supported in 2026?
Yes — Debian 11 entered LTS in August 2024 (when regular Security Team support ended) and continues through August 2026 under Freexian's volunteer LTS programme. Paid ELTS coverage extends further. Backports are released for the same source packages the Security Tracker covers.
How do I check Debian 11 CVEs on a running host?
For a quick count: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:11 ecosystem feed.
What's the practical difference between Debian 11 and 12 for CVE coverage?
Same data source (Debian Security Tracker, mirrored through OSV). The difference is the package version set and what's been backported. A CVE fixed upstream in openssl 3.2 gets a separate Bullseye backport into the Bullseye-shipped 1.1.1 series and a Bookworm backport into 3.0. Noxen matches against the right per-release fix version automatically.
Scan a Debian 11 fleet with Noxen
Add your Debian 11 hosts via your existing
~/.ssh/config; Noxen reads dpkg state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.