Amazon Linux 2 : golang, --advisory ALAS2-2026-3203 (ALAS-2026-3203)

The version of golang installed on the remote host is prior to 1.25.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3203 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

Medium: python

Issue Overview: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. CVE-2025-11468 User-controlled...

Low: firefox

Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...

Amazon Linux 2 : aide, --advisory ALAS2-2026-3186 (ALAS-2026-3186)

The version of aide installed on the remote host is prior to 0.16.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3186 advisory. AIDE is an advanced intrusion detection environment. From versions 0.13 to 0.19.1, there is a null pointer dereference vulnerability ...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-052 (ALASFIREFOX-2026-052)

The version of firefox installed on the remote host is prior to 140.7.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2FIREFOX-2026-052 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type...

Medium: libpng

Issue Overview: libpng: An out-of-bounds read vulnerability exists in the pngsetquantize API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to...

Low: thunderbird

Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3190 (ALAS-2026-3190)

The version of thunderbird installed on the remote host is prior to 140.7.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3190 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This...

Amazon Linux 2 : qemu, --advisory ALAS2-2026-3182 (ALAS-2026-3182)

The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3182 advisory. A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a...

Medium: rust

Issue Overview: No CVE was issued for this update. Affected Packages: rust Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update rust or yum update --advisory...

Medium: qemu

Issue Overview: A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition DoS. CVE-2026-2243 Affected Packages: qemu Note: This advisory is applicable ...

Amazon Linux 2 : python-pillow, --advisory ALAS2-2026-3180 (ALAS-2026-3180)

The version of python-pillow installed on the remote host is prior to 2.0.0-23.gitd1c6db8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3180 advisory. Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when...

Important: thunderbird

Issue Overview: A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating...

Important: freerdp

Issue Overview: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdpwritelogoninfov2 allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. Th...

Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3181 (ALAS-2026-3181)

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3181 advisory. FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerabilit...

Amazon Linux 2 : containerd, --advisory ALAS2ECS-2026-098 (ALASECS-2026-098)

The version of containerd installed on the remote host is prior to 2.1.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-098 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary...

Amazon Linux 2 : evolution-data-server, --advisory ALAS2-2026-3179 (ALAS-2026-3179)

The version of evolution-data-server installed on the remote host is prior to 3.28.5-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3179 advisory. The Evolution backend server exposes the D-Bus service org.gnome.evolution.dataserver.AddressBook, that can be used ...

Amazon Linux 2 : ecs-init, --advisory ALAS2ECS-2026-097 (ALASECS-2026-097)

The version of ecs-init installed on the remote host is prior to 1.101.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-097 advisory. The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, whi...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-053 (ALASFIREFOX-2026-053)

The version of firefox installed on the remote host is prior to 140.7.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2026-053 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. Th...

Amazon Linux 2 : postgresql, --advisory ALAS2POSTGRESQL14-2026-022 (ALASPOSTGRESQL14-2026-022)

The version of postgresql installed on the remote host is prior to 14.21-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2POSTGRESQL14-2026-022 advisory. Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server...