ALAS2-2026-3171

Amazon Linux 2 Security Advisory: ALAS2-2026-3171
Advisory Released Date: 2026-02-19
Advisory Updated Date: 2026-02-19

Severity: Medium

References: CVE-2026-22693 CVE-2026-22695 CVE-2026-22801 CVE-2026-25210
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. (CVE-2026-22693)

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. (CVE-2026-22695)

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. (CVE-2026-22801)

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. (CVE-2026-25210)

Affected Packages:

thunderbird

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update thunderbird or yum update --advisory ALAS2-2026-3171 to update your system.

New Packages:

aarch64:
    thunderbird-140.7.1-1.amzn2.0.2.aarch64

src:
    thunderbird-140.7.1-1.amzn2.0.2.src

x86_64:
    thunderbird-140.7.1-1.amzn2.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-22693, CVE-2026-22695, CVE-2026-22801, CVE-2026-25210

Mitre: CVE-2026-22693, CVE-2026-22695, CVE-2026-22801, CVE-2026-25210