ALAS2023-2026-1736

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1736
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-33811 CVE-2026-33814 CVE-2026-39820 CVE-2026-39823 CVE-2026-39825 CVE-2026-39826 CVE-2026-42499
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. (CVE-2026-33811)

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. (CVE-2026-33814)

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. (CVE-2026-39820)

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. (CVE-2026-39823)

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. (CVE-2026-39825)

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. (CVE-2026-39826)

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. (CVE-2026-42499)

Affected Packages:

docker

Issue Correction:
Run dnf update docker --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1736 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    docker-debuginfo-25.0.14-1.amzn2023.0.6.aarch64
    docker-25.0.14-1.amzn2023.0.6.aarch64
    docker-debugsource-25.0.14-1.amzn2023.0.6.aarch64

src:
    docker-25.0.14-1.amzn2023.0.6.src

x86_64:
    docker-debuginfo-25.0.14-1.amzn2023.0.6.x86_64
    docker-25.0.14-1.amzn2023.0.6.x86_64
    docker-debugsource-25.0.14-1.amzn2023.0.6.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-42499

Mitre: CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-42499