ALAS2-2026-3317

Amazon Linux 2 Security Advisory: ALAS2-2026-3317
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-6357
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. (CVE-2026-6357)

Affected Packages:

python-pip

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-pip or yum update --advisory ALAS2-2026-3317 to update your system.

New Packages:

noarch:
    python2-pip-20.2.2-1.amzn2.0.17.noarch
    python3-pip-20.2.2-1.amzn2.0.17.noarch
    python-pip-wheel-20.2.2-1.amzn2.0.17.noarch

src:
    python-pip-20.2.2-1.amzn2.0.17.src

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-6357

Mitre: CVE-2026-6357