ALAS2023-2026-1723

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1723
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-27142 CVE-2026-33811 CVE-2026-33814 CVE-2026-39820 CVE-2026-39823 CVE-2026-42499
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. (CVE-2026-33811)

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. (CVE-2026-33814)

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. (CVE-2026-39820)

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. (CVE-2026-39823)

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. (CVE-2026-42499)

Affected Packages:

cni-plugins

Issue Correction:
Run dnf update cni-plugins --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1723 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    cni-plugins-1.7.1-1.amzn2023.0.6.aarch64
    cni-plugins-debuginfo-1.7.1-1.amzn2023.0.6.aarch64
    cni-plugins-debugsource-1.7.1-1.amzn2023.0.6.aarch64

src:
    cni-plugins-1.7.1-1.amzn2023.0.6.src

x86_64:
    cni-plugins-1.7.1-1.amzn2023.0.6.x86_64
    cni-plugins-debuginfo-1.7.1-1.amzn2023.0.6.x86_64
    cni-plugins-debugsource-1.7.1-1.amzn2023.0.6.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-27142, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-42499

Mitre: CVE-2026-27142, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-42499