This base/runtime image is a clean foundation for building production images. It has 6 post-exploit vulnerabilities, but they are all low severity (max CVSS 2.7) and require local access, presenting no practical risk in typical container deployments. Note: this is a general-purpose base/runtime image — many findings live in components that an application built on top may never load, so actual exploitability depends on the final image. For an accurate risk picture, re-scan the final application image with context.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-48863 | LOW2.7 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | — | Post-Exploit |
| CVE-2026-48864 | LOW2.39 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-9149 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9150 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3-libs 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |