CVE coverage

Debian 13 CVE tracker

Q: How do I check Debian 13 CVEs on a running host?

For a quick check: `apt list --upgradable 2>/dev/null | grep -ci security`. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.

Noxen pulls Debian 13 (Trixie) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Records are deduped against NVD and shipped in a signed snapshot, rebuilt daily.

Live

Headline numbers

Total CVE records (all distros)Loading…
Last buildLoading…
OSV records (Debian + others)Loading…
NVD records (cross-platform)Loading…

How matching works

What Noxen does for a Debian 13 host

Reads /etc/os-release over SSH to confirm the host is on Debian 13.
Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
Filters the local feed cache to OSV records tagged with ecosystem Debian:13.
For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Debian 13 / Debian ecosystem)

Most-recently-published critical CVEs in the Debian 13 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at 2026-06-09; live re-fetch on page load.

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-11293	critical	9.6	Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)	chromium	—	2026-06-05
DEBIAN-CVE-2026-11282	critical	9.6	Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)	chromium	—	2026-06-05
DEBIAN-CVE-2026-11250	critical	9.6	Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Ch	chromium	—	2026-06-05
DEBIAN-CVE-2026-11213	critical	9.6	Insufficient validation of untrusted input in Reading Mode in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium	chromium	—	2026-06-04
DEBIAN-CVE-2026-11207	critical	9.6	Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium)	chromium	—	2026-06-04
DEBIAN-CVE-2026-11198	critical	9.6	Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)	chromium	—	2026-06-04
DEBIAN-CVE-2026-11167	critical	9.6	Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium securit	chromium	—	2026-06-04
DEBIAN-CVE-2026-11165	critical	9.6	Use after free in WebMIDI in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)	chromium	—	2026-06-04

Top recent high-severity CVEs (Debian 13 / Debian ecosystem)

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-45300	high	7.4	The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cro	async-http-client	—	2026-06-05
DEBIAN-CVE-2026-48095	high	8.8	7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing atta	7zip	—	2026-06-05
DEBIAN-CVE-2026-50264	high	7.8	An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap	xorg-server	—	2026-06-05
DEBIAN-CVE-2026-50261	high	7.8	A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing	xorg-server	—	2026-06-05
DEBIAN-CVE-2026-50260	high	7.8	A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client co	xorg-server	—	2026-06-05
DEBIAN-CVE-2026-50259	high	7.8	A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a	xorg-server	—	2026-06-05
DEBIAN-CVE-2026-50258	high	7.8	A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMax	xorg-server	—	2026-06-05
DEBIAN-CVE-2026-50257	high	7.8	A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set u	xorg-server	—	2026-06-05

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Debian 13 operators should know.

CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Debian advisory · Noxen deep-dive.

FAQ

Frequently asked about Debian 13 CVEs

How many CVEs affect Debian 13?

Debian 13 (Trixie) is filtered out of the broader Debian ecosystem feed by ecosystem tag (Debian:13). Live counts appear at the top of this page; the underlying feed is rebuilt daily.

How do I check Debian 13 CVEs on a running host?

For a quick check: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.

Where does the Debian 13 data come from?

Upstream is the Debian Security Tracker, which OSV.dev ingests and republishes in a normalised ecosystem feed. Noxen consumes the OSV feed, dedupes against NVD, and publishes signed daily snapshots.

Scan a Debian 13 fleet with Noxen

Add your Debian 13 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard Ubuntu 20.04 → Debian 12 →