Amazon Linux 2 Security Advisory: ALAS2OPENSSL-SNAPSAFE-2026-010
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30
Severity:
Medium
References:
CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
NULL Pointer Dereference When Processing a Delta CRL
NOTE: https://openssl-library.org/news/secadv/20260407.txt (CVE-2026-28388)
Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (CVE-2026-28389)
Possible NULL dereference when processing CMS KeyTransportRecipientInfo (CVE-2026-28390)
Affected Packages:
openssl-snapsafe
Note:
This advisory is applicable to Amazon Linux 2 - Openssl-snapsafe Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update openssl-snapsafe or yum update --advisory ALAS2OPENSSL-SNAPSAFE-2026-010 to update your system.
New Packages:
aarch64:
openssl-snapsafe-1.0.2k-24.amzn2.0.20.aarch64
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.20.aarch64
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.20.aarch64
openssl-snapsafe-static-1.0.2k-24.amzn2.0.20.aarch64
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.20.aarch64
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.20.aarch64
i686:
openssl-snapsafe-1.0.2k-24.amzn2.0.20.i686
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.20.i686
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.20.i686
openssl-snapsafe-static-1.0.2k-24.amzn2.0.20.i686
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.20.i686
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.20.i686
src:
openssl-snapsafe-1.0.2k-24.amzn2.0.20.src
x86_64:
openssl-snapsafe-1.0.2k-24.amzn2.0.20.x86_64
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.20.x86_64
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.20.x86_64
openssl-snapsafe-static-1.0.2k-24.amzn2.0.20.x86_64
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.20.x86_64
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.20.x86_64