Amazon Linux 2023 Security Advisory: ALAS2023-2026-1932
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity:
Important
Issue Overview:
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation. (CVE-2026-11837)
Affected Packages:
ansible
Issue Correction:
Run dnf update ansible --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1932 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
noarch:
ansible-8.3.0-1.amzn2023.0.3.noarch
src:
ansible-8.3.0-1.amzn2023.0.3.src