Amazon Linux 2023 : firefox (ALAS2023-2026-1725)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1725 advisory. In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. CVE-2026-45186 Use-after-free in th...

Amazon Linux 2023 : libXpm, libXpm-devel (ALAS2023-2026-1656)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1656 advisory. As per upstream advisory: libXpm Out-of-bounds read in xpmNextWord CVE-2026-4367 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Ness...

Amazon Linux 2023 : nspr, nspr-devel, nss (ALAS2023-2026-1703)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1703 advisory. Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. CVE-2026-6766 Other...

Amazon Linux 2023 : bpftool6.12, kernel6.12, kernel6.12-devel (ALAS2023-2026-1695)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1695 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC CVE-2025-71269 In the Linux kernel, the following...

Amazon Linux 2 : ImageMagick, --advisory ALAS2-2026-3278 (ALAS-2026-3278)

The version of ImageMagick installed on the remote host is prior to 6.9.10.97-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3278 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 a...

Amazon Linux 2023 : cifs-utils, cifs-utils-devel, cifs-utils-info (ALAS2023-2026-1597)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1597 advisory. A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. Thi...

Amazon Linux 2023 : gdk-pixbuf2, gdk-pixbuf2-devel, gdk-pixbuf2-modules (ALAS2023-2026-1553)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1553 advisory. In GNOME GdkPixbuf aka gdk-pixbuf through 2.42.10, the ANI Windows animated cursor decoder encounters heap memory corruption in aniloadchunk in io-ani.c when parsing chunks in a crafted .ani...

Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2026-1499)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1499 advisory. cmd/go: bypass of flag sanitization can lead to arbitrary code execution CVE-2025-61731 cmd/go: unexpected code execution when invoking toolchain CVE-2025-68119 Tenable has extracted the...

Amazon Linux 2023 : bind, bind-chroot, bind-devel (ALAS2023-2026-1533)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1533 advisory. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1484)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1484 advisory. A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js...

Amazon Linux 2023 : expat, expat-devel, expat-static (ALAS2023-2026-1425)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1425 advisory. In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. CVE-2026-25210 Tenable has...

Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2026-1375)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1375 advisory. No QUIC certificate pinning with GnuTLS NOTE: https://curl.se/docs/CVE-2025-13034.htmlNOTE: Introduced with: https://github.com/curl/curl/commit/3210101088dfa3d6a125d213226b092f2f866722...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1438)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1438 advisory. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. CVE-2025-61732 Tenable has extracted the preceding description block directly from...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1381)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1381 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...

Amazon Linux 2023 : java-11-amazon-corretto, java-11-amazon-corretto-devel, java-11-amazon-corretto-headless (ALAS2023-2026-1384)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1384 advisory. Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: RMI. Supported versions that are affected are Oracle Java SE...

Amazon Linux 2023 : java-17-amazon-corretto, java-17-amazon-corretto-devel, java-17-amazon-corretto-headless (ALAS2023-2026-1385)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1385 advisory. Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: RMI. Supported versions that are affected are Oracle Java SE...

Amazon Linux 2023 : python3.13-wheel, python3.13-wheel-wheel (ALAS2023-2026-1414)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1414 advisory. wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through...

Amazon Linux 2023 : composer (ALAS2023-2026-1365)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1365 advisory. Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI contro...

Amazon Linux 2023 : mariadb1011, mariadb1011-backup, mariadb1011-client-utils (ALAS2023-2025-1331)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1331 advisory. A flaw was found in MariaDB. This vulnerability allows remote attackers to execute arbitrary code on affected installations via improper validation of a user-supplied path prior to using it in...

Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2025-1350)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1350 advisory. In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix NULL dereference on q-elevator in blkmqelvswitchnone CVE-2023-53292 In the Linux kernel, the following...