Detections
Analytics
Amazon Linux 2023 : gdk-pixbuf2, gdk-pixbuf2-devel, gdk-pixbuf2-modules (ALAS2023-2026-1553)
high Nessus Plugin ID 306215
Language:
Synopsis
The remote Amazon Linux 2023 host is missing a security update.Description
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1553 advisory.In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c. (CVE-2022-48622)
A flaw was found in the GIF parser of GdkPixbuf's LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.
(CVE-2025-6199)
A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib's g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. (CVE-2025-7345)
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
(CVE-2026-5201)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'dnf update gdk-pixbuf2 --releasever 2023.11.20260413' or or 'dnf update --advisory ALAS2023-2026-1553 --releasever 2023.11.20260413' to update your system.See Also
https://alas.aws.amazon.com//AL2023/ALAS2023-2026-1553.html
https://alas.aws.amazon.com/faqs.html
https://explore.alas.aws.amazon.com/CVE-2022-48622.html
https://explore.alas.aws.amazon.com/CVE-2025-6199.html
Plugin Details
Severity: High
ID: 306215
File Name: al2023_ALAS2023-2026-1553.nasl
Version: 1.2
Type: Local
Agent: unix
Published: 4/13/2026
Updated: 4/22/2026
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.6
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2022-48622
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:gdk-pixbuf2-modules, p-cpe:/a:amazon:linux:gdk-pixbuf2-modules-debuginfo, p-cpe:/a:amazon:linux:gdk-pixbuf2-debuginfo, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:gdk-pixbuf2-tests, p-cpe:/a:amazon:linux:gdk-pixbuf2-devel, p-cpe:/a:amazon:linux:gdk-pixbuf2-devel-debuginfo, p-cpe:/a:amazon:linux:gdk-pixbuf2-tests-debuginfo, p-cpe:/a:amazon:linux:gdk-pixbuf2-debugsource, p-cpe:/a:amazon:linux:gdk-pixbuf2
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/13/2026
Vulnerability Publication Date: 3/31/2026
Reference Information
CVE: CVE-2022-48622, CVE-2025-6199, CVE-2025-7345, CVE-2026-5201