Amazon Linux 2023 : giflib, giflib-devel, giflib-utils (ALAS2023-2026-1508)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1508 advisory. Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult but...

Amazon Linux 2023 : gstreamer1-plugins-base, gstreamer1-plugins-base-devel, gstreamer1-plugins-base-tools (ALAS2023-2026-1504)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1504 advisory. An integer overflow in the RIFF parser that can cause crashes for certain input files. CVE-2026-2921 Tenable has extracted the preceding description block directly from the tested product security...

Amazon Linux 2 : gstreamer1-plugins-good, --advisory ALAS2-2026-3209 (ALAS-2026-3209)

The version of gstreamer1-plugins-good installed on the remote host is prior to 1.18.4-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3209 advisory. Heap-based buffer overflow and out-of-bounds write in the RTP QDM2 depayloader. CVE-2026-3083 Heap-based...

Medium: gstreamer1-plugins-good

Issue Overview: An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Affected Packages: gstreamer1-plugins-good Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and...

Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Amazon Linux 2 : gstreamer1-plugins-base, --advisory ALAS2-2026-3210 (ALAS-2026-3210)

The version of gstreamer1-plugins-base installed on the remote host is prior to 1.18.4-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3210 advisory. An integer overflow in the RIFF parser that can cause crashes for certain input files. CVE-2026-2921 Tenable has...

Amazon Linux 2023 : python3.12-pip, python3.12-pip-wheel (ALAS2023-2026-1530)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1530 advisory. When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation...

Amazon Linux 2023 : aspnetcore-runtime-8.0, aspnetcore-runtime-dbg-8.0, aspnetcore-targeting-pack-8.0 (ALAS2023-2026-1505)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1505 advisory. Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. CVE-2026-26130 Tenable has extracted the preceding description block...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2026-115 (ALASKERNEL-5.10-2026-115)

The version of kernel installed on the remote host is prior to 5.10.252-250.992. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2026-115 advisory. In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously...

Amazon Linux 2023 : bind, bind-chroot, bind-devel (ALAS2023-2026-1533)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1533 advisory. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there...

Amazon Linux 2023 : below (ALAS2023-2026-1523)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1523 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack...

Amazon Linux 2023 : gnutls, gnutls-c++, gnutls-dane (ALAS2023-2026-1529)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1529 advisory. A flaw was found in GnuTLS. This vulnerability allows a denial of service DoS by excessive CPU Central Processing Unit and memory consumption via specially crafted malicious certificates containing a...

Amazon Linux 2 : bind, --advisory ALAS2-2026-3226 (ALAS-2026-3226)

The version of bind installed on the remote host is prior to 9.11.4-26.P2. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3226 advisory. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1526)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1526 advisory. Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 request...

Amazon Linux 2023 : gstreamer1-plugins-good, gstreamer1-plugins-good-gtk (ALAS2023-2026-1503)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1503 advisory. Heap-based buffer overflow and out-of-bounds write in the RTP QDM2 depayloader. CVE-2026-3083 Heap-based buffer overflow and out-of-bounds write in the RTP QDM2 depayloader. CVE-2026-3085...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values CVE-2025-71304 In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg unconditional requeue CVE-2026-23066 In the Linux kernel, the...

Amazon Linux 2 : perl-YAML-Syck, --advisory ALAS2-2026-3216 (ALAS-2026-3216)

The version of perl-YAML-Syck installed on the remote host is prior to 1.27-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3216 advisory. YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high- severity heap buff...

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2026-100 (ALASECS-2026-100)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.13.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-100 advisory. Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3219 (ALAS-2026-3219)

The version of thunderbird installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3219 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML...