Important: postgresql

Issue Overview: Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before...

Medium: containerd

Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3177 (ALAS-2026-3177)

The version of thunderbird installed on the remote host is prior to 140.7.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3177 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type...

Amazon Linux 2 : qemu, --advisory ALAS2-2026-3182 (ALAS-2026-3182)

The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3182 advisory. A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a...

Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1467)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1467 advisory. pyjwt v2.10.1 was discovered to contain weak encryption. CVE-2025-45768 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus has no...

Medium: rust

Issue Overview: No CVE was issued for this update. Affected Packages: rust Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update rust or yum update --advisory...

Medium: qemu

Issue Overview: A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition DoS. CVE-2026-2243 Affected Packages: qemu Note: This advisory is applicable ...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1464)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1464 advisory. node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. Th...

Amazon Linux 2023 : firefox (ALAS2023-2026-1445)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1445 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack...

Amazon Linux 2 : qt5-qt3d, --advisory ALAS2-2026-3187 (ALAS-2026-3187)

The version of qt5-qt3d installed on the remote host is prior to 5.15.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3187 advisory. A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. This affects the functi...

Medium: ecs-init

Issue Overview: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content. CVE-2025-47911 The html.Parse function in golang.org/x/net/html has an...

Amazon Linux 2023 : libxml2, libxml2-devel, libxml2-static (ALAS2023-2026-1446)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1446 advisory. A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user...

Important: thunderbird

Issue Overview: A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating...

Amazon Linux 2023 : cuda (ALAS2023NVIDIA-2026-277)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023NVIDIA-2026-277 advisory. NVIDIA Nsight Systems contains a vulnerability in the gfxhotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the processnsysrepcli.py script if...

Amazon Linux 2023 : libssh, libssh-config, libssh-devel (ALAS2023-2026-1461)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1461 advisory. libssh: Buffer underflow in sshgethexa on invalid input CVE-2026-0966 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus has not...

Amazon Linux 2 : evolution-data-server, --advisory ALAS2-2026-3179 (ALAS-2026-3179)

The version of evolution-data-server installed on the remote host is prior to 3.28.5-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3179 advisory. The Evolution backend server exposes the D-Bus service org.gnome.evolution.dataserver.AddressBook, that can be used ...

Important: freerdp

Issue Overview: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdpwritelogoninfov2 allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. Th...

Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3181 (ALAS-2026-3181)

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3181 advisory. FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerabilit...

Amazon Linux 2 : runc, --advisory ALAS2ECS-2026-099 (ALASECS-2026-099)

The version of runc installed on the remote host is prior to 1.3.4-2. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-099 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP...

Amazon Linux 2 : containerd, --advisory ALAS2ECS-2026-098 (ALASECS-2026-098)

The version of containerd installed on the remote host is prior to 2.1.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-098 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary...