ALAS2023-2026-1927


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1927
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker's controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system. (CVE-2026-12505)


Affected Packages:

cifs-utils


Issue Correction:
Run dnf update cifs-utils --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1927 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    pam_cifscreds-debuginfo-7.5-1.amzn2023.0.4.aarch64
    cifs-utils-debugsource-7.5-1.amzn2023.0.4.aarch64
    cifs-utils-info-7.5-1.amzn2023.0.4.aarch64
    cifs-utils-devel-7.5-1.amzn2023.0.4.aarch64
    cifs-utils-debuginfo-7.5-1.amzn2023.0.4.aarch64
    pam_cifscreds-7.5-1.amzn2023.0.4.aarch64
    cifs-utils-7.5-1.amzn2023.0.4.aarch64

src:
    cifs-utils-7.5-1.amzn2023.0.4.src

x86_64:
    pam_cifscreds-debuginfo-7.5-1.amzn2023.0.4.x86_64
    cifs-utils-devel-7.5-1.amzn2023.0.4.x86_64
    cifs-utils-debuginfo-7.5-1.amzn2023.0.4.x86_64
    cifs-utils-debugsource-7.5-1.amzn2023.0.4.x86_64
    cifs-utils-info-7.5-1.amzn2023.0.4.x86_64
    pam_cifscreds-7.5-1.amzn2023.0.4.x86_64
    cifs-utils-7.5-1.amzn2023.0.4.x86_64