ALAS2-2026-3256

Amazon Linux 2 Security Advisory: ALAS2-2026-3256
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30

Severity: Low

References: CVE-2026-1703
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. (CVE-2026-1703)

Affected Packages:

python-pip

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-pip or yum update --advisory ALAS2-2026-3256 to update your system.

New Packages:

noarch:
    python2-pip-20.2.2-1.amzn2.0.16.noarch
    python3-pip-20.2.2-1.amzn2.0.16.noarch
    python-pip-wheel-20.2.2-1.amzn2.0.16.noarch

src:
    python-pip-20.2.2-1.amzn2.0.16.src

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-1703

Mitre: CVE-2026-1703