Amazon Linux 2023 : libssh2, libssh2-devel (ALAS2023-2026-1779)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1779 advisory. A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauthpassword of the file src/userauth.c. Such manipulation of the argument...

Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1774)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1774 advisory. The tarfile module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result ...

Amazon Linux 2023 : composer (ALAS2023-2026-1800)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1800 advisory. Github Actions issued GITHUBTOKEN disclosure in GitHub Actions logs CVE-2026-45793 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that...

Amazon Linux 2023 : device-mapper-persistent-data (ALAS2023-2026-1791)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1791 advisory. An unsoundness issue RUSTSEC-2026-0097 was found in the bundled Rust rand crate used by device-mapper- persistent-data. ThreadRng methods use unsafe code that can create aliased mutable references when...

Amazon Linux 2 : perl-YAML-Syck, --advisory ALAS2-2026-3327 (ALAS-2026-3327)

The version of perl-YAML-Syck installed on the remote host is prior to 1.27-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3327 advisory. YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 sexagesimal parsing code in perlsyck.h has a...

Amazon Linux 2023 : ruby4.0, ruby4.0-bundled-gems, ruby4.0-default-gems (ALAS2023-2026-1806)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1806 advisory. Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause...

Amazon Linux 2023 : aspnetcore-runtime-9.0, aspnetcore-runtime-dbg-9.0, aspnetcore-targeting-pack-9.0 (ALAS2023-2026-1802)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1802 advisory. Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. CVE-2026-32177 Loop with unreachable exit condition 'infinite loop' in ASP.NET Core allows an...

Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-013 (ALASNGINX1-2026-013)

The version of nginx installed on the remote host is prior to 1.30.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2026-013 advisory. NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when a...

Amazon Linux 2 : libsolv, --advisory ALAS2-2026-3338 (ALAS-2026-3338)

The version of libsolv installed on the remote host is prior to 0.6.34-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3338 advisory. A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker- controlled compressed...

Amazon Linux 2023 : libsolv, libsolv-demo, libsolv-devel (ALAS2023-2026-1798)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1798 advisory. A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffe...

Amazon Linux 2023 : perl-HTTP-Tiny, perl-HTTP-Tiny-tests (ALAS2023-2026-1765)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1765 advisory. HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that...

Important: amazon-ssm-agent

Issue Overview: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0. CVE-2026-33814 Affected Packages: amazon-ssm-agent Issue Correction: Run dnf update amazon-ssm-agent --releasever...

Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2026-1813)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1813 advisory. When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0. CVE-2026-33814 Tenable has extracte...

Amazon Linux 2 : amazon-ssm-agent, --advisory ALAS2-2026-3350 (ALAS-2026-3350)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.4515.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3350 advisory. When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it...

Amazon Linux 2023 : postgresql17, postgresql17-contrib, postgresql17-llvmjit (ALAS2023-2026-1766)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1766 advisory. Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to...

Amazon Linux 2023 : postgresql16, postgresql16-contrib, postgresql16-llvmjit (ALAS2023-2026-1767)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1767 advisory. Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to...

Amazon Linux 2 : postgresql, --advisory ALAS2-2026-3344 (ALAS-2026-3344)

The version of postgresql installed on the remote host is prior to 9.2.24-8. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3344 advisory. Use of inherently dangerous function PQfn..., resultisint=0, ... in PostgreSQL libpq loexport, loread, lolseek64, and...

Amazon Linux 2 : libpq, --advisory ALAS2POSTGRESQL14-2026-023 (ALASPOSTGRESQL14-2026-023)

The version of libpq installed on the remote host is prior to 14.23-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2POSTGRESQL14-2026-023 advisory. Use of inherently dangerous function PQfn..., resultisint=0, ... in PostgreSQL libpq loexport, loread, lolseek64,...

Amazon Linux 2 : postgresql, --advisory ALAS2POSTGRESQL14-2026-024 (ALASPOSTGRESQL14-2026-024)

The version of postgresql installed on the remote host is prior to 14.23-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2POSTGRESQL14-2026-024 advisory. Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use...

Amazon Linux 2023 : aspnetcore-runtime-10.0, aspnetcore-runtime-dbg-10.0, aspnetcore-targeting-pack-10.0 (ALAS2023-2026-1803)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1803 advisory. Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. CVE-2026-32177 Loop with unreachable exit condition 'infinite loop' in ASP.NET Core allows an...