ALAS2023-2026-1922


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1922
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42055)

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-48142)


Affected Packages:

nginx


Issue Correction:
Run dnf update nginx --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1922 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    nginx-core-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-mail-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-image-filter-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-image-filter-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-stream-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-perl-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-xslt-filter-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-xslt-filter-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-mail-debuginfo-1.30.3-1.amzn2023.0.1.aarch64
    nginx-debugsource-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-stream-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-devel-1.30.3-1.amzn2023.0.1.aarch64
    nginx-core-1.30.3-1.amzn2023.0.1.aarch64
    nginx-1.30.3-1.amzn2023.0.1.aarch64
    nginx-mod-http-perl-debuginfo-1.30.3-1.amzn2023.0.1.aarch64

noarch:
    nginx-filesystem-1.30.3-1.amzn2023.0.1.noarch
    nginx-all-modules-1.30.3-1.amzn2023.0.1.noarch

src:
    nginx-1.30.3-1.amzn2023.0.1.src

x86_64:
    nginx-mod-stream-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-mail-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-image-filter-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-perl-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-core-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-image-filter-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-devel-1.30.3-1.amzn2023.0.1.x86_64
    nginx-1.30.3-1.amzn2023.0.1.x86_64
    nginx-debugsource-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-xslt-filter-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-perl-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-http-xslt-filter-1.30.3-1.amzn2023.0.1.x86_64
    nginx-debuginfo-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-stream-1.30.3-1.amzn2023.0.1.x86_64
    nginx-mod-mail-1.30.3-1.amzn2023.0.1.x86_64
    nginx-core-1.30.3-1.amzn2023.0.1.x86_64