Amazon Linux 2023 Security Advisory: ALAS2023-2026-1594
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-05-19
FAQs regarding Amazon Linux ALAS/CVE Severity
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: remove refcounting in expectation dumpers (CVE-2025-39764)
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_xmit() (CVE-2025-40135)
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: fix access race during throttle policy activation (CVE-2025-40147)
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec() (CVE-2025-68239)
In the Linux kernel, the following vulnerability has been resolved:
dm-verity: disable recursive forward error correction (CVE-2025-71161)
In the Linux kernel, the following vulnerability has been resolved:
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (CVE-2026-23004)
In the Linux kernel, the following vulnerability has been resolved:
tracing: Add recursion protection in kernel stack trace recording (CVE-2026-23138)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (CVE-2026-23274)
In the Linux kernel, the following vulnerability has been resolved:
net: add xmit recursion limit to tunnel xmit functions (CVE-2026-23276)
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit (CVE-2026-23277)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: always walk all pending catchall elements (CVE-2026-23278)
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: in-kernel: always mark signal+subflow endp as used (CVE-2026-23321)
In the Linux kernel, the following vulnerability has been resolved:
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock (CVE-2026-23368)
In the Linux kernel, the following vulnerability has been resolved:
mm: thp: deny THP for files on anonymous inodes (CVE-2026-23375)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_CT: drop pending enqueued packets on template removal (CVE-2026-23391)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error (CVE-2026-23392)
In the Linux kernel, the following vulnerability has been resolved:
nfnetlink_osf: validate individual option lengths in fingerprints (CVE-2026-23397)
In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation() (CVE-2026-23398)
In the Linux kernel, the following vulnerability has been resolved:
nf_tables: nft_dynset: fix possible stateful expression memleak in error path (CVE-2026-23399)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: defer hook memory release until rcu readers are done (CVE-2026-23412)
In the Linux kernel, the following vulnerability has been resolved:
clsact: Fix use-after-free in init/destroy rollback asymmetry (CVE-2026-23413)
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n (CVE-2026-23439)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix race condition during IPSec ESN update (CVE-2026-23440)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Prevent concurrent access to IPSec ASO context (CVE-2026-23441)
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: Fix previous acpi_processor_errata_piix4() fix (CVE-2026-23443)
In the Linux kernel, the following vulnerability has been resolved:
igc: fix page fault in XDP TX timestamps handling (CVE-2026-23445)
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: Fix double-free in teql_master_xmit (CVE-2026-23449)
In the Linux kernel, the following vulnerability has been resolved:
PM: runtime: Fix a race condition related to device removal (CVE-2026-23452)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CVE-2026-23455)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case (CVE-2026-23456)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() (CVE-2026-23457)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() (CVE-2026-23458)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: log new dentries when logging parent dir of a conflicting inode (CVE-2026-23465)
In the Linux kernel, the following vulnerability has been resolved:
spi: fix statistics allocation (CVE-2026-23475)
In the Linux kernel, the following vulnerability has been resolved:
spi: fix use-after-free on controller registration failure (CVE-2026-31389)
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix krb5 mount with username option (CVE-2026-31392)
In the Linux kernel, the following vulnerability has been resolved:
nvdimm/bus: Fix potential use after free in asynchronous initialization (CVE-2026-31399)
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix cache_request leak in cache_release (CVE-2026-31400)
In the Linux kernel, the following vulnerability has been resolved:
HID: bpf: prevent buffer overflow in hid_hw_request (CVE-2026-31401)
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd (CVE-2026-31403)
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Check set_default_submission() before deferencing (CVE-2026-31540)
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL deref in bond_debug_rlb_hash_show (CVE-2026-31546)
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: restrict usage in unprivileged domU (CVE-2026-31788)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: drop pending enqueued packets on removal (CVE-2026-43060)
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Fix TX deadlock when using DMA (CVE-2026-43061)
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: in-kernel: always set ID as avail when rm endp (CVE-2026-43252)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on set received ioctl due to item overflow (CVE-2026-43359)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on file creation due to name hash collision (CVE-2026-43360)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort when snapshotting received subvolumes (CVE-2026-43361)
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix in-place encryption corruption in SMB2_write() (CVE-2026-43362)
In the Linux kernel, the following vulnerability has been resolved:
x86/apic: Disable x2apic on resume if the kernel expects so (CVE-2026-43363)
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix undersized l_iclog_roundoff values (CVE-2026-43365)
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: check if target buffer list is still legacy on recycle (CVE-2026-43366)
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential overflow of shmem scatterlist length (CVE-2026-43368)
In the Linux kernel, the following vulnerability has been resolved:
net: nexthop: fix percpu use-after-free in remove_nh_grp_entry (CVE-2026-43374)
In the Linux kernel, the following vulnerability has been resolved:
net/tcp-md5: Fix MAC comparison to be constant-time (CVE-2026-43383)
In the Linux kernel, the following vulnerability has been resolved:
net/tcp-ao: Fix MAC comparison to be constant-time (CVE-2026-43384)
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix starvation of scx_enable() under fair-class saturation (CVE-2026-43392)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() (CVE-2026-43393)
In the Linux kernel, the following vulnerability has been resolved:
nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). (CVE-2026-43394)
In the Linux kernel, the following vulnerability has been resolved:
nsfs: tighten permission checks for ns iteration ioctls (CVE-2026-43403)
In the Linux kernel, the following vulnerability has been resolved:
libceph: Use u32 for non-negative values in ceph_monmap_decode() (CVE-2026-43405)
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in process_message_header() (CVE-2026-43406)
In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() (CVE-2026-43407)
In the Linux kernel, the following vulnerability has been resolved:
ceph: add a bunch of missing ceph_path_info initializers (CVE-2026-43408)
In the Linux kernel, the following vulnerability has been resolved:
kprobes: avoid crash when rmmod/insmod after ftrace killed (CVE-2026-43409)
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix divide-by-zero in tipc_sk_filter_connect() (CVE-2026-43411)
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix memory leaks in ceph_mdsc_build_path() (CVE-2026-43419)
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix i_nlink underrun during async unlink (CVE-2026-43420)
In the Linux kernel, the following vulnerability has been resolved:
usb: class: cdc-wdm: fix reordering issue in read code path (CVE-2026-43427)
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Limit the length of unkillable synchronous timeouts (CVE-2026-43428)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix memory leak in xhci_disable_slot() (CVE-2026-43432)
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Remove redundant css_put() in scx_cgroup_init() (CVE-2026-43438)
In the Linux kernel, the following vulnerability has been resolved:
cgroup: fix race between task migration and iteration (CVE-2026-43439)
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled (CVE-2026-43441)
In the Linux kernel, the following vulnerability has been resolved:
e1000/e1000e: Fix leak in DMA error cleanup (CVE-2026-43445)
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: Fix race bug in nvme_poll_irqdisable() (CVE-2026-43448)
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set (CVE-2026-43449)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() (CVE-2026-43450)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path (CVE-2026-43451)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: guard option walkers against 1-byte tail reads (CVE-2026-43452)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() (CVE-2026-43453)
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix type confusion in bond_setup_by_slave() (CVE-2026-43456)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery (CVE-2026-43466)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix crash when moving to switchdev mode (CVE-2026-43467)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix deadlock between devlink lock and esw->wq (CVE-2026-43468)
In the Linux kernel, the following vulnerability has been resolved:
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir (CVE-2026-43470)
In the Linux kernel, the following vulnerability has been resolved:
unshare: fix unshare_fs() handling (CVE-2026-43472)
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Add NULL checks when resetting request and reply queues (CVE-2026-43473)
In the Linux kernel, the following vulnerability has been resolved:
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT (CVE-2026-43475)
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated (CVE-2026-43483)
In the Linux kernel, the following vulnerability has been resolved:
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults (CVE-2026-43486)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Prevent interrupt storm on host controller error (HCE) (CVE-2026-43488)
Affected Packages:
kernel6.12
Issue Correction:
Run dnf update kernel6.12 --releasever 2023.11.20260427 or dnf update --advisory ALAS2023-2026-1594 --releasever 2023.11.20260427 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
kernel-livepatch-6.12.79-101.147-1.0-0.amzn2023.aarch64
kernel6.12-tools-6.12.79-101.147.amzn2023.aarch64
bpftool6.12-6.12.79-101.147.amzn2023.aarch64
python3-perf6.12-6.12.79-101.147.amzn2023.aarch64
perf6.12-debuginfo-6.12.79-101.147.amzn2023.aarch64
python3-perf6.12-debuginfo-6.12.79-101.147.amzn2023.aarch64
kernel6.12-libbpf-debuginfo-6.12.79-101.147.amzn2023.aarch64
kernel6.12-tools-debuginfo-6.12.79-101.147.amzn2023.aarch64
kernel6.12-tools-devel-6.12.79-101.147.amzn2023.aarch64
kernel6.12-modules-extra-common-6.12.79-101.147.amzn2023.aarch64
kernel6.12-headers-6.12.79-101.147.amzn2023.aarch64
perf6.12-6.12.79-101.147.amzn2023.aarch64
kernel6.12-modules-extra-6.12.79-101.147.amzn2023.aarch64
bpftool6.12-debuginfo-6.12.79-101.147.amzn2023.aarch64
kernel6.12-libbpf-6.12.79-101.147.amzn2023.aarch64
kernel6.12-libbpf-static-6.12.79-101.147.amzn2023.aarch64
kernel6.12-libbpf-devel-6.12.79-101.147.amzn2023.aarch64
kernel6.12-6.12.79-101.147.amzn2023.aarch64
kernel6.12-debuginfo-6.12.79-101.147.amzn2023.aarch64
kernel6.12-debuginfo-common-aarch64-6.12.79-101.147.amzn2023.aarch64
kernel6.12-devel-6.12.79-101.147.amzn2023.aarch64
src:
kernel6.12-6.12.79-101.147.amzn2023.src
x86_64:
kernel6.12-libbpf-static-6.12.79-101.147.amzn2023.x86_64
kernel6.12-libbpf-debuginfo-6.12.79-101.147.amzn2023.x86_64
kernel6.12-tools-debuginfo-6.12.79-101.147.amzn2023.x86_64
bpftool6.12-debuginfo-6.12.79-101.147.amzn2023.x86_64
kernel6.12-tools-6.12.79-101.147.amzn2023.x86_64
kernel6.12-libbpf-devel-6.12.79-101.147.amzn2023.x86_64
kernel6.12-tools-devel-6.12.79-101.147.amzn2023.x86_64
kernel-livepatch-6.12.79-101.147-1.0-0.amzn2023.x86_64
kernel6.12-modules-extra-6.12.79-101.147.amzn2023.x86_64
kernel6.12-libbpf-6.12.79-101.147.amzn2023.x86_64
perf6.12-debuginfo-6.12.79-101.147.amzn2023.x86_64
bpftool6.12-6.12.79-101.147.amzn2023.x86_64
kernel6.12-headers-6.12.79-101.147.amzn2023.x86_64
python3-perf6.12-debuginfo-6.12.79-101.147.amzn2023.x86_64
kernel6.12-debuginfo-6.12.79-101.147.amzn2023.x86_64
kernel6.12-modules-extra-common-6.12.79-101.147.amzn2023.x86_64
perf6.12-6.12.79-101.147.amzn2023.x86_64
python3-perf6.12-6.12.79-101.147.amzn2023.x86_64
kernel6.12-6.12.79-101.147.amzn2023.x86_64
kernel6.12-debuginfo-common-x86_64-6.12.79-101.147.amzn2023.x86_64
kernel6.12-devel-6.12.79-101.147.amzn2023.x86_64
2026-05-19: CVE-2026-43456 was added to this advisory.
2026-05-19: CVE-2026-43408 was added to this advisory.
2026-05-19: CVE-2026-43452 was added to this advisory.
2026-05-19: CVE-2026-43420 was added to this advisory.
2026-05-19: CVE-2026-43486 was added to this advisory.
2026-05-19: CVE-2026-43359 was added to this advisory.
2026-05-19: CVE-2026-43483 was added to this advisory.
2026-05-19: CVE-2026-43427 was added to this advisory.
2026-05-19: CVE-2026-43466 was added to this advisory.
2026-05-19: CVE-2026-43488 was added to this advisory.
2026-05-19: CVE-2026-43472 was added to this advisory.
2026-05-19: CVE-2026-43392 was added to this advisory.
2026-05-13: CVE-2026-43428 was added to this advisory.
2026-05-13: CVE-2026-43450 was added to this advisory.
2026-05-13: CVE-2026-43365 was added to this advisory.
2026-05-13: CVE-2026-43445 was added to this advisory.
2026-05-13: CVE-2026-43453 was added to this advisory.
2026-05-13: CVE-2026-43432 was added to this advisory.
2026-05-13: CVE-2026-43475 was added to this advisory.
2026-05-13: CVE-2026-43363 was added to this advisory.
2026-05-13: CVE-2026-43362 was added to this advisory.
2026-05-13: CVE-2026-43374 was added to this advisory.
2026-05-13: CVE-2026-43467 was added to this advisory.
2026-05-13: CVE-2026-43439 was added to this advisory.
2026-05-13: CVE-2026-43448 was added to this advisory.
2026-05-13: CVE-2026-43366 was added to this advisory.
2026-05-13: CVE-2026-43368 was added to this advisory.
2026-05-13: CVE-2026-43438 was added to this advisory.
2026-05-13: CVE-2026-43411 was added to this advisory.
2026-05-13: CVE-2026-43451 was added to this advisory.
2026-05-13: CVE-2026-43468 was added to this advisory.
2026-05-13: CVE-2026-43470 was added to this advisory.
2026-05-13: CVE-2026-43409 was added to this advisory.
2026-05-13: CVE-2026-43419 was added to this advisory.
2026-05-13: CVE-2026-43406 was added to this advisory.
2026-05-13: CVE-2026-43394 was added to this advisory.
2026-05-13: CVE-2026-43441 was added to this advisory.
2026-05-13: CVE-2026-43449 was added to this advisory.
2026-05-13: CVE-2026-43405 was added to this advisory.
2026-05-13: CVE-2026-43383 was added to this advisory.
2026-05-13: CVE-2026-43360 was added to this advisory.
2026-05-13: CVE-2026-43407 was added to this advisory.
2026-05-13: CVE-2026-43473 was added to this advisory.
2026-05-13: CVE-2026-43403 was added to this advisory.
2026-05-13: CVE-2026-43384 was added to this advisory.
2026-05-13: CVE-2026-43393 was added to this advisory.
2026-05-13: CVE-2026-43361 was added to this advisory.