ALAS2-2026-3346

Amazon Linux 2 Security Advisory: ALAS2-2026-3346
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Medium

References: CVE-2026-42326 CVE-2026-45031 CVE-2026-45358 CVE-2026-45359 CVE-2026-45624 CVE-2026-45664 CVE-2026-46520 CVE-2026-46521 CVE-2026-46522 CVE-2026-46523 CVE-2026-46559 CVE-2026-46692 CVE-2026-46693 CVE-2026-47165 CVE-2026-47166
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7wff-wpr6-vmhm) (CVE-2026-42326)

Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cwpj-h54c-xjpx) (CVE-2026-45031)

An of by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr6r-hmj8-pr7r) (CVE-2026-45358)

An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation (CVE-2026-45359)

When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. (CVE-2026-45624)

Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. (CVE-2026-45664)

When reading multiple images with different dimensions an out of bounds heap write can occur. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5) (CVE-2026-46520)

When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx) (CVE-2026-46521)

Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion. (CVE-2026-46522)

A crafted MSL image can trigger a heap-use-after-free. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q) (CVE-2026-46523)

An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v) (CVE-2026-46559)

An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j) (CVE-2026-46692)

An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92) (CVE-2026-46693)

The distributed pixel cache was originally designed to operate without a challenge-response authentication model. However, given today's heightened security expectations, we have changed our implementation. (CVE-2026-47165)

An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process (as per: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6gxq-f64p-5w6f) (CVE-2026-47166)

Affected Packages:

ImageMagick

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ImageMagick or yum update --advisory ALAS2-2026-3346 to update your system.

New Packages:

aarch64:
    ImageMagick-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.29.aarch64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.29.aarch64

i686:
    ImageMagick-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-devel-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-doc-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-perl-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-c++-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.29.i686
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.29.i686

src:
    ImageMagick-6.9.10.97-1.amzn2.0.29.src

x86_64:
    ImageMagick-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.29.x86_64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.29.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166

Mitre: CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166