Amazon Linux 2 Security Advisory: ALAS2-2026-3190
Advisory Released Date: 2026-03-06
Advisory Updated Date: 2026-03-06
FAQs regarding Amazon Linux ALAS/CVE Severity
A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory.
This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas. (CVE-2025-12474)
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.
This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags). (CVE-2026-1837)
Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2. (CVE-2026-2447)
Affected Packages:
thunderbird
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update thunderbird or yum update --advisory ALAS2-2026-3190 to update your system.
aarch64:
thunderbird-140.7.2-1.amzn2.0.1.aarch64
src:
thunderbird-140.7.2-1.amzn2.0.1.src
x86_64:
thunderbird-140.7.2-1.amzn2.0.1.x86_64