Amazon Linux 2023

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1602 Related CVEs: CVE-2025-67030 Upstream summary: Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code (CVE-2025-67030) Table of […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1623 Related CVEs: CVE-2026-40393 Upstream summary: In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1605 Related CVEs: CVE-2026-27143 CVE-2026-27144 CVE-2026-32280 CVE-2026-32281 CVE-2026-32282 CVE-2026-32283 CVE-2026-32288 CVE-2026-32289  +12 more Upstream summary: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow in […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1633 Related CVEs: CVE-2026-40170 Upstream summary: ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1612 Related CVEs: CVE-2026-34378 CVE-2026-34380 CVE-2026-34588 CVE-2026-27622 CVE-2025-12495 CVE-2025-12839 CVE-2026-34544 CVE-2024-31047  +4 more Upstream summary: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1604 Related CVEs: CVE-2026-35385 CVE-2024-6387 CVE-2024-6409 CVE-2016-10009 CVE-2023-38408 CVE-2025-26465 CVE-2023-51385 CVE-2023-48795  +3 more Upstream summary: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1590 Related CVEs: CVE-2024-28102 CVE-2026-39373 Upstream summary: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1620 Related CVEs: CVE-2026-0672 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6100 CVE-2025-8194 CVE-2024-12718  +12 more Upstream summary: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1619 Related CVEs: CVE-2026-0672 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6100 CVE-2025-8194 CVE-2024-12718  +12 more Upstream summary: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= […]

🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026 Affected versions: Amazon Linux 2023 📖 ~4 min read  •  Source: Amazon Linux advisory ALAS2023-2026-1617 Related CVEs: CVE-2026-0672 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6100 CVE-2026-2297 Upstream summary: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all […]