ALAS2023-2026-1870

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1870
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22

Severity: Important

References: CVE-2026-41676 CVE-2026-41678 CVE-2026-42327 CVE-2026-44662
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL. This vulnerability is fixed in 0.10.78. (CVE-2026-41676)

rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8, ensuring the output buffer is large enough. Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function. This vulnerability is fixed in 0.10.78. (CVE-2026-41678)

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant -- resulting in undefined behavior. This vulnerability is fixed in 0.10.79. (CVE-2026-42327)

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced. This only impacts users using AES key-wrap-with-padding ciphers. This vulnerability is fixed in 0.10.79. (CVE-2026-44662)

Affected Packages:

clamav1.5

Issue Correction:
Run dnf update clamav1.5 --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1870 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    clamd1.5-debuginfo-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-debuginfo-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-lib-debuginfo-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-devel-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-milter-debuginfo-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-freshclam-debuginfo-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-1.5.2-1.amzn2023.0.2.aarch64
    clamd1.5-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-milter-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-freshclam-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-debugsource-1.5.2-1.amzn2023.0.2.aarch64
    clamav1.5-lib-1.5.2-1.amzn2023.0.2.aarch64

noarch:
    clamav1.5-data-1.5.2-1.amzn2023.0.2.noarch
    clamav1.5-filesystem-1.5.2-1.amzn2023.0.2.noarch
    clamav1.5-doc-1.5.2-1.amzn2023.0.2.noarch

src:
    clamav1.5-1.5.2-1.amzn2023.0.2.src

x86_64:
    clamav1.5-debuginfo-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-milter-debuginfo-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-freshclam-debuginfo-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-lib-debuginfo-1.5.2-1.amzn2023.0.2.x86_64
    clamd1.5-1.5.2-1.amzn2023.0.2.x86_64
    clamd1.5-debuginfo-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-devel-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-milter-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-freshclam-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-debugsource-1.5.2-1.amzn2023.0.2.x86_64
    clamav1.5-lib-1.5.2-1.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-41676, CVE-2026-41678, CVE-2026-42327, CVE-2026-44662

Mitre: CVE-2026-41676, CVE-2026-41678, CVE-2026-42327, CVE-2026-44662