ALAS2023-2026-1474

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1474
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25

Severity: Medium

References: CVE-2025-29070
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation." (CVE-2025-29070)

Affected Packages:

lcms2

Issue Correction:
Run dnf update lcms2 --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1474 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    lcms2-debuginfo-2.16-74.amzn2023.aarch64
    lcms2-debugsource-2.16-74.amzn2023.aarch64
    lcms2-devel-2.16-74.amzn2023.aarch64
    lcms2-utils-debuginfo-2.16-74.amzn2023.aarch64
    lcms2-2.16-74.amzn2023.aarch64
    lcms2-utils-2.16-74.amzn2023.aarch64

src:
    lcms2-2.16-74.amzn2023.src

x86_64:
    lcms2-debuginfo-2.16-74.amzn2023.x86_64
    lcms2-utils-2.16-74.amzn2023.x86_64
    lcms2-utils-debuginfo-2.16-74.amzn2023.x86_64
    lcms2-debugsource-2.16-74.amzn2023.x86_64
    lcms2-2.16-74.amzn2023.x86_64
    lcms2-devel-2.16-74.amzn2023.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-29070

Mitre: CVE-2025-29070