Amazon Linux 2 : golang, --advisory ALAS2-2026-3203 (ALAS-2026-3203)

The version of golang installed on the remote host is prior to 1.25.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3203 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3199 (ALAS-2026-3199)

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3199 advisory. FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can...

Amazon Linux 2 : libtiff, --advisory ALAS2-2026-3196 (ALAS-2026-3196)

The version of libtiff installed on the remote host is prior to 4.0.3-35. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3196 advisory. libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tifopen.c...

Important: amazon-ssm-agent

Issue Overview: cmd/go: bypass of flag sanitization can lead to arbitrary code execution CVE-2025-61731 cmd/go: unexpected code execution when invoking toolchain CVE-2025-68119 Affected Packages: amazon-ssm-agent Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this...

Medium: libsodium

Issue Overview: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group...

Amazon Linux 2 : amazon-ssm-agent, --advisory ALAS2-2026-3207 (ALAS-2026-3207)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.3883.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3207 advisory. cmd/go: bypass of flag sanitization can lead to arbitrary code execution CVE-2025-61731 cmd/go: unexpected...

Low: firefox

Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...

Amazon Linux 2 : libpng, --advisory ALAS2-2026-3189 (ALAS-2026-3189)

The version of libpng installed on the remote host is prior to 1.5.13-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3189 advisory. libpng: An out-of-bounds read vulnerability exists in the pngsetquantize API function. When the function is called with no histogra...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1466)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1466 advisory. node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. Th...

Amazon Linux 2 : aide, --advisory ALAS2-2026-3186 (ALAS-2026-3186)

The version of aide installed on the remote host is prior to 0.16.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3186 advisory. AIDE is an advanced intrusion detection environment. From versions 0.13 to 0.19.1, there is a null pointer dereference vulnerability ...

Amazon Linux 2023 : firefox (ALAS2023-2026-1469)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1469 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This can be done by causing the decoder to reference an outside-image-bound area...

Medium: python

Issue Overview: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. CVE-2025-11468 User-controlled...

Amazon Linux 2 : python3, --advisory ALAS2-2026-3184 (ALAS-2026-3184)

The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3184 advisory. When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-052 (ALASFIREFOX-2026-052)

The version of firefox installed on the remote host is prior to 140.7.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2FIREFOX-2026-052 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type...

Medium: libpng

Issue Overview: libpng: An out-of-bounds read vulnerability exists in the pngsetquantize API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to...

Low: thunderbird

Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...

Amazon Linux 2023 : wireshark-cli, wireshark-devel (ALAS2023-2026-1450)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1450 advisory. MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service CVE-2025-11626 Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial...

Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2026-1468)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1468 advisory. In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Reinit blkgiostatset after clearing in blkcgresetstats CVE-2023-53421 In the Linux kernel, the following...

Amazon Linux 2023 : cuda-toolkit-13 (ALAS2023NVIDIA-2026-276)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023NVIDIA-2026-276 advisory. NVIDIA Nsight Systems contains a vulnerability in the gfxhotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the processnsysrepcli.py script if...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3190 (ALAS-2026-3190)

The version of thunderbird installed on the remote host is prior to 140.7.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3190 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This...