Amazon Linux 2023 Security Advisory: ALAS2023-2026-1469
Advisory Released Date: 2026-03-05
Advisory Updated Date: 2026-03-05
FAQs regarding Amazon Linux ALAS/CVE Severity
A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory.
This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas. (CVE-2025-12474)
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.
This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags). (CVE-2026-1837)
Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2. (CVE-2026-2447)
Affected Packages:
firefox
Issue Correction:
Run dnf update firefox --releasever 2023.10.20260302 or dnf update --advisory ALAS2023-2026-1469 --releasever 2023.10.20260302 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
firefox-debuginfo-140.7.1-1.amzn2023.0.1.aarch64
firefox-140.7.1-1.amzn2023.0.1.aarch64
firefox-debugsource-140.7.1-1.amzn2023.0.1.aarch64
src:
firefox-140.7.1-1.amzn2023.0.1.src
x86_64:
firefox-debuginfo-140.7.1-1.amzn2023.0.1.x86_64
firefox-140.7.1-1.amzn2023.0.1.x86_64
firefox-debugsource-140.7.1-1.amzn2023.0.1.x86_64