ALAS2023-2026-1793

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1793
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Important

References: CVE-2026-40930 CVE-2026-8946 CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954 CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958 CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970 CVE-2026-8974 CVE-2026-8975
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to png_process_data (CVE-2026-40930)

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8946)

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8947)

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8950)

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8953)

Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8954)

Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8955)

Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8956)

Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8957)

Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8958)

Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8961)

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8962)

Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8968)

Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8970)

Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8974)

Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. (CVE-2026-8975)

Affected Packages:

firefox

Issue Correction:
Run dnf update firefox --releasever 2023.12.20260608 or dnf update --advisory ALAS2023-2026-1793 --releasever 2023.12.20260608 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    firefox-debuginfo-140.11.0-1.amzn2023.0.1.aarch64
    firefox-140.11.0-1.amzn2023.0.1.aarch64
    firefox-debugsource-140.11.0-1.amzn2023.0.1.aarch64

src:
    firefox-140.11.0-1.amzn2023.0.1.src

x86_64:
    firefox-debuginfo-140.11.0-1.amzn2023.0.1.x86_64
    firefox-140.11.0-1.amzn2023.0.1.x86_64
    firefox-debugsource-140.11.0-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-40930, CVE-2026-8946, CVE-2026-8947, CVE-2026-8950, CVE-2026-8953, CVE-2026-8954, CVE-2026-8955, CVE-2026-8956, CVE-2026-8957, CVE-2026-8958, CVE-2026-8961, CVE-2026-8962, CVE-2026-8968, CVE-2026-8970, CVE-2026-8974, CVE-2026-8975

Mitre: CVE-2026-40930, CVE-2026-8946, CVE-2026-8947, CVE-2026-8950, CVE-2026-8953, CVE-2026-8954, CVE-2026-8955, CVE-2026-8956, CVE-2026-8957, CVE-2026-8958, CVE-2026-8961, CVE-2026-8962, CVE-2026-8968, CVE-2026-8970, CVE-2026-8974, CVE-2026-8975