ALAS2-2025-2959

Amazon Linux 2 Security Advisory: ALAS2-2025-2959
Advisory Released Date: 2025-08-04
Advisory Updated Date: 2025-08-04

Severity: Medium

References: CVE-2024-10041
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. (CVE-2024-10041)

Affected Packages:

pam

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update pam or yum update --advisory ALAS2-2025-2959 to update your system.

New Packages:

aarch64:
    pam-1.1.8-23.amzn2.0.3.aarch64
    pam-devel-1.1.8-23.amzn2.0.3.aarch64
    pam-debuginfo-1.1.8-23.amzn2.0.3.aarch64

i686:
    pam-1.1.8-23.amzn2.0.3.i686
    pam-devel-1.1.8-23.amzn2.0.3.i686
    pam-debuginfo-1.1.8-23.amzn2.0.3.i686

src:
    pam-1.1.8-23.amzn2.0.3.src

x86_64:
    pam-1.1.8-23.amzn2.0.3.x86_64
    pam-devel-1.1.8-23.amzn2.0.3.x86_64
    pam-debuginfo-1.1.8-23.amzn2.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2024-10041

Mitre: CVE-2024-10041