CVE-2022-1664

Name: CVE-2022-1664
Creator: NVD / NIST
Published: 2022-05-26T14:15:08.01+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 2.87%

Last modified Jun 17, 2026

CVE-2022-1664 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.. EPSS estimates a 2.87% chance of exploitation in the next 30 days.

Description

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.87%

85.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Debian	Dpkg	>= 1.14.17, < 1.18.26
Debian	Dpkg	>= 1.19.0, < 1.19.8
Debian	Dpkg	>= 1.20.0, < 1.20.10
Debian	Dpkg	>= 1.21.0, < 1.21.8
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0
Netapp	Ontap Select Deploy Administration Utility	All versions

References

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495Mailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5Mailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200bMailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24beMailing List, Patch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00033.htmlMailing List, Vendor Advisory
https://lists.debian.org/debian-security-announce/2022/msg00115.htmlMailing List, Vendor Advisory
https://security.netapp.com/advisory/ntap-20221007-0002/Third Party Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495Mailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5Mailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200bMailing List, Patch, Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24beMailing List, Patch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00033.htmlMailing List, Vendor Advisory
https://lists.debian.org/debian-security-announce/2022/msg00115.htmlMailing List, Vendor Advisory
https://security.netapp.com/advisory/ntap-20221007-0002/Third Party Advisory

Timeline

Published: May 26, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-1664?

How severe is CVE-2022-1664?

CVE-2022-1664 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 2.87% probability of exploitation in the next 30 days.

How do I fix CVE-2022-1664?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-1664?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST