Medium: thunderbird

Issue Overview: A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML content with empty external parameter entities. This could lead to a NULL pointer dereference, causing the application to crash and resulting in a Denial of Service...

Medium: rust

Issue Overview: Decompressing invalid LZ4 data can leak data from uninitialized memory, or can leak content from previous decompression operations when reusing an output buffer. CVE-2026-32829 Affected Packages: rust Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit...

Low: python3.12-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Medium: firefox

Issue Overview: A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML content with empty external parameter entities. This could lead to a NULL pointer dereference, causing the application to crash and resulting in a Denial of Service...

Important: gstreamer1-plugins-bad-free

Issue Overview: GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack...

Important: gstreamer1-plugins-base

Issue Overview: An integer overflow in the RIFF parser that can cause crashes for certain input files. CVE-2026-2921 Affected Packages: gstreamer1-plugins-base Issue Correction: Run dnf update gstreamer1-plugins-base --releasever 2023.10.20260330 or dnf update --advisory ALAS2023-2026-1504...

Important: giflib

Issue Overview: Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult but may be possible. CVE-2026-23868 Affected Packages: giflib Note: This advisory i...

Important: python-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Important: gstreamer1-plugins-good

Issue Overview: Heap-based buffer overflow and out-of-bounds write in the RTP QDM2 depayloader. CVE-2026-3083 Heap-based buffer overflow and out-of-bounds write in the RTP QDM2 depayloader. CVE-2026-3085 Affected Packages: gstreamer1-plugins-good Note: This advisory is applicable to Amazon Linux ...

Amazon Linux 2 : python3, --advisory ALAS2-2026-3217 (ALAS-2026-3217)

The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3217 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |...

Amazon Linux 2 : python, --advisory ALAS2-2026-3218 (ALAS-2026-3218)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3218 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |=...

Medium: python

Issue Overview: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

Medium: python3

Issue Overview: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

Medium: gstreamer1-plugins-good

Issue Overview: An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Affected Packages: gstreamer1-plugins-good Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and...

Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3219 (ALAS-2026-3219)

The version of thunderbird installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3219 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML...

Amazon Linux 2 : ImageMagick, --advisory ALAS2-2026-3220 (ALAS-2026-3220)

The version of ImageMagick installed on the remote host is prior to 6.9.10.97-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3220 advisory. A flaw was found in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoder, which allows a...

Amazon Linux 2023 : ImageMagick, ImageMagick-c++, ImageMagick-c++-devel (ALAS2023-2026-1511)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1511 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to ...

Amazon Linux 2023 : giflib, giflib-devel, giflib-utils (ALAS2023-2026-1508)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1508 advisory. Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult but...