Amazon Linux 2023 : gstreamer1-plugins-good, gstreamer1-plugins-good-gtk (ALAS2023-2026-1579)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1579 advisory. An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Tenable has extracted the preceding description block directly from the tested product security...

Amazon Linux 2023 : sudo, sudo-devel, sudo-logsrvd (ALAS2023-2026-1559)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1559 advisory. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation...

Amazon Linux 2023 : amazon-ecr-credential-helper (ALAS2023-2026-1574)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1574 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or...

Amazon Linux 2023 : tigervnc, tigervnc-icons, tigervnc-license (ALAS2023-2026-1537)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1537 advisory. In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions. CVE-2026-34352...

Amazon Linux 2023 : oci-add-hooks (ALAS2023-2026-1575)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1575 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or...

Amazon Linux 2023 : runc (ALAS2023-2026-1541)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1541 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or...

Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2026-1540)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1540 advisory. When the ngxmailauthhttpmodule module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when 1 CRAM-MD5 or APOP...

Amazon Linux 2023 : squid (ALAS2023-2026-1569)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1569 advisory. Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service...

Amazon Linux 2023 : libpng, libpng-devel, libpng-static (ALAS2023-2026-1563)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1563 advisory. LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg unconditional requeue CVE-2026-23066 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extr...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.4-2026-119 (ALASKERNEL-5.4-2026-119)

The version of kernel installed on the remote host is prior to 5.4.302-223.457. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.4-2026-119 advisory. In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg unconditional requeue...

Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1519)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1519 advisory. A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 SS4.1.11. When a JWS token contains a crit array listing...

Medium: firefox

Issue Overview: A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML content with empty external parameter entities. This could lead to a NULL pointer dereference, causing the application to crash and resulting in a Denial of Service...

Important: dotnet8.0

Issue Overview: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. CVE-2026-26130 Affected Packages: dotnet8.0 Issue Correction: Run dnf update dotnet8.0 --releasever 2023.10.20260330 or dnf update --advisory...

Low: python3.12-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Amazon Linux 2023 : gstreamer1-plugins-base, gstreamer1-plugins-base-devel, gstreamer1-plugins-base-tools (ALAS2023-2026-1504)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1504 advisory. An integer overflow in the RIFF parser that can cause crashes for certain input files. CVE-2026-2921 Tenable has extracted the preceding description block directly from the tested product security...

Amazon Linux 2023 : ImageMagick, ImageMagick-c++, ImageMagick-c++-devel (ALAS2023-2026-1511)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1511 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to ...

Important: python3-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Amazon Linux 2023 : python3.11-pip, python3.11-pip-wheel (ALAS2023-2026-1531)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1531 advisory. When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-055 (ALASFIREFOX-2026-055)

The version of firefox installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2026-055 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XM...