ALAS2023-2026-1580

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1580
Advisory Released Date: 2026-04-13
Advisory Updated Date: 2026-04-13

Severity: Low

References: CVE-2026-1764 CVE-2026-1765 CVE-2026-1766 CVE-2026-1767
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in GNOME localsearch MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data. (CVE-2026-1764)

A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch. This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, leading to a Denial of Service (DoS) where the application crashes. It may also potentially expose sensitive information from the system's memory. (CVE-2026-1765)

A flaw was found in GNOME localsearch MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory. (CVE-2026-1766)

A flaw was found in the GNOME localsearch MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure. (CVE-2026-1767)

Affected Packages:

tracker-miners

Issue Correction:
Run dnf update tracker-miners --releasever 2023.11.20260413 or dnf update --advisory ALAS2023-2026-1580 --releasever 2023.11.20260413 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    tracker-miners-debugsource-3.7.4-2.amzn2023.0.2.aarch64
    tracker-miners-debuginfo-3.7.4-2.amzn2023.0.2.aarch64
    tracker-miners-3.7.4-2.amzn2023.0.2.aarch64

src:
    tracker-miners-3.7.4-2.amzn2023.0.2.src

x86_64:
    tracker-miners-debugsource-3.7.4-2.amzn2023.0.2.x86_64
    tracker-miners-debuginfo-3.7.4-2.amzn2023.0.2.x86_64
    tracker-miners-3.7.4-2.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-1764, CVE-2026-1765, CVE-2026-1766, CVE-2026-1767

Mitre: CVE-2026-1764, CVE-2026-1765, CVE-2026-1766, CVE-2026-1767