ALAS2023-2026-1483

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1483
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25

Severity: Important

References: CVE-2026-26960 CVE-2026-29786
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. (CVE-2026-26960)

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. (CVE-2026-29786)

Affected Packages:

nodejs22

Issue Correction:
Run dnf update nodejs22 --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1483 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    nodejs22-libs-debuginfo-22.22.1-1.amzn2023.0.1.aarch64
    nodejs22-debuginfo-22.22.1-1.amzn2023.0.1.aarch64
    v8-12.4-devel-12.4.254.21-1.22.22.1.1.amzn2023.0.1.aarch64
    nodejs22-libs-22.22.1-1.amzn2023.0.1.aarch64
    nodejs22-devel-22.22.1-1.amzn2023.0.1.aarch64
    nodejs22-full-i18n-22.22.1-1.amzn2023.0.1.aarch64
    nodejs22-22.22.1-1.amzn2023.0.1.aarch64
    nodejs22-npm-10.9.4-1.22.22.1.1.amzn2023.0.1.aarch64
    nodejs22-debugsource-22.22.1-1.amzn2023.0.1.aarch64

noarch:
    nodejs22-docs-22.22.1-1.amzn2023.0.1.noarch

src:
    nodejs22-22.22.1-1.amzn2023.0.1.src

x86_64:
    nodejs22-libs-debuginfo-22.22.1-1.amzn2023.0.1.x86_64
    nodejs22-full-i18n-22.22.1-1.amzn2023.0.1.x86_64
    nodejs22-debuginfo-22.22.1-1.amzn2023.0.1.x86_64
    nodejs22-22.22.1-1.amzn2023.0.1.x86_64
    v8-12.4-devel-12.4.254.21-1.22.22.1.1.amzn2023.0.1.x86_64
    nodejs22-libs-22.22.1-1.amzn2023.0.1.x86_64
    nodejs22-devel-22.22.1-1.amzn2023.0.1.x86_64
    nodejs22-npm-10.9.4-1.22.22.1.1.amzn2023.0.1.x86_64
    nodejs22-debugsource-22.22.1-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-26960, CVE-2026-29786

Mitre: CVE-2026-26960, CVE-2026-29786