ALAS2023-2026-1435

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1435
Advisory Released Date: 2026-02-18
Advisory Updated Date: 2026-02-18

Severity: Medium

References: CVE-2026-22693 CVE-2026-22695 CVE-2026-22801
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. (CVE-2026-22693)

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. (CVE-2026-22695)

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. (CVE-2026-22801)

Affected Packages:

firefox

Issue Correction:
Run dnf update firefox --releasever 2023.10.20260216 or dnf update --advisory ALAS2023-2026-1435 --releasever 2023.10.20260216 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    firefox-debuginfo-140.7.0-1.amzn2023.0.3.aarch64
    firefox-140.7.0-1.amzn2023.0.3.aarch64
    firefox-debugsource-140.7.0-1.amzn2023.0.3.aarch64

src:
    firefox-140.7.0-1.amzn2023.0.3.src

x86_64:
    firefox-debuginfo-140.7.0-1.amzn2023.0.3.x86_64
    firefox-140.7.0-1.amzn2023.0.3.x86_64
    firefox-debugsource-140.7.0-1.amzn2023.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-22693, CVE-2026-22695, CVE-2026-22801

Mitre: CVE-2026-22693, CVE-2026-22695, CVE-2026-22801