ALAS2023-2026-1847

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1847
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
Severity: Important
Issue Overview:

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. (CVE-2026-25680)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-25681)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-27136)

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". (CVE-2026-39821)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42502)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42506)


Affected Packages:

containerd


Issue Correction:
Run dnf update containerd --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1847 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    containerd-debuginfo-2.2.4-1.amzn2023.0.2.aarch64
    containerd-stress-debuginfo-2.2.4-1.amzn2023.0.2.aarch64
    containerd-stress-2.2.4-1.amzn2023.0.2.aarch64
    containerd-2.2.4-1.amzn2023.0.2.aarch64
    containerd-debugsource-2.2.4-1.amzn2023.0.2.aarch64

src:
    containerd-2.2.4-1.amzn2023.0.2.src

x86_64:
    containerd-debuginfo-2.2.4-1.amzn2023.0.2.x86_64
    containerd-stress-debuginfo-2.2.4-1.amzn2023.0.2.x86_64
    containerd-stress-2.2.4-1.amzn2023.0.2.x86_64
    containerd-2.2.4-1.amzn2023.0.2.x86_64
    containerd-debugsource-2.2.4-1.amzn2023.0.2.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506

Mitre: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506