This base/runtime image is a clean foundation for building production images. It contains some low-severity post-exploit-only findings, but these are not exploitable from the network and do not affect the safety of images built on top. The official publisher and immutable digest further reduce risk. Note: this is a general-purpose base/runtime image — many findings live in components that an application built on top may never load, so actual exploitability depends on the final image. For an accurate risk picture, re-scan the final application image with context.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-7598 | LOW2.78 | libssh2 1.4.3-12.amzn2.2.6 fixed in 1.4.3-12.amzn2.2.7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6766 | LOW1.87 | nss 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6767 | LOW1.87 | nss 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6772 | LOW1.87 | nss 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6766 | LOW1.87 | nss-sysinit 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6767 | LOW1.87 | nss-sysinit 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6772 | LOW1.87 | nss-sysinit 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6766 | LOW1.87 | nss-tools 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6767 | LOW1.87 | nss-tools 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6772 | LOW1.87 | nss-tools 3.90.0-2.amzn2.0.2 fixed in 3.90.0-2.amzn2.0.3 | 0.3% Theoretical Threat | Post-Exploit |