ALAS2023-2026-1924


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1924
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303)

In the Linux kernel, the following vulnerability has been resolved:

lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() (CVE-2026-43492)

In the Linux kernel, the following vulnerability has been resolved:

ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)

In the Linux kernel, the following vulnerability has been resolved:

udf: fix partition descriptor append bookkeeping (CVE-2026-45991)

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() (CVE-2026-45999)

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005)

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)

In the Linux kernel, the following vulnerability has been resolved:

ceph: only d_add() negative dentries when they are unhashed (CVE-2026-46052)

In the Linux kernel, the following vulnerability has been resolved:

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info (CVE-2026-46065)

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use a stable FDB dst snapshot in RCU readers (CVE-2026-46086)

In the Linux kernel, the following vulnerability has been resolved:

xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete (CVE-2026-46116)

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak (CVE-2026-46159)

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix missing last_unlink_trans update when removing a directory (CVE-2026-46160)

In the Linux kernel, the following vulnerability has been resolved:

xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: validate dacloffset before building DACL pointers (CVE-2026-46195)

In the Linux kernel, the following vulnerability has been resolved:

tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (CVE-2026-46196)

In the Linux kernel, the following vulnerability has been resolved:

pmdomain: core: Fix detach procedure for virtual devices in genpd (CVE-2026-46292)

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)

In the Linux kernel, the following vulnerability has been resolved:

bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)

In the Linux kernel, the following vulnerability has been resolved:

ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)

In the Linux kernel, the following vulnerability has been resolved:

sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ebtables: fix OOB read in compat_mtw_from_user (CVE-2026-52927)

In the Linux kernel, the following vulnerability has been resolved:

sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)

In the Linux kernel, the following vulnerability has been resolved:

ipc/shm: serialize orphan cleanup with shm_nattch updates (CVE-2026-52930)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_log: validate MAC header was set before dumping it (CVE-2026-52942)

In the Linux kernel, the following vulnerability has been resolved:

net: skbuff: fix missing zerocopy reference in pskb_carve helpers (CVE-2026-52943)

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling (CVE-2026-52946)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: require Ethernet MAC header before using eth_hdr() (CVE-2026-53131)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_fib: fix stale stack leak via the OIFNAME register (CVE-2026-53134)

In the Linux kernel, the following vulnerability has been resolved:

fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)

In the Linux kernel, the following vulnerability has been resolved:

mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183)

In the Linux kernel, the following vulnerability has been resolved:

udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184)

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: update file PMD counter before folio_put() (CVE-2026-53189)

In the Linux kernel, the following vulnerability has been resolved:

hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf (CVE-2026-53199)

In the Linux kernel, the following vulnerability has been resolved:

mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison (CVE-2026-53207)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix use-after-free on object destroy (CVE-2026-53212)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_exthdr: fix register tracking for F_PRESENT flag (CVE-2026-53218)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: avoid leaking percpu counter pointers (CVE-2026-53219)

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() (CVE-2026-53221)

In the Linux kernel, the following vulnerability has been resolved:

net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)

In the Linux kernel, the following vulnerability has been resolved:

net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)

In the Linux kernel, the following vulnerability has been resolved:

tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236)

In the Linux kernel, the following vulnerability has been resolved:

netlabel: validate unlabeled address and mask attribute lengths (CVE-2026-53238)

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() (CVE-2026-53239)

In the Linux kernel, the following vulnerability has been resolved:

net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr (CVE-2026-53245)

In the Linux kernel, the following vulnerability has been resolved:

ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: use RCU with deferred freeing for action lifecycle (CVE-2026-53264)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack_irc: fix possible out-of-bounds read (CVE-2026-53268)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: synproxy: add mutex to guard hook reference counting (CVE-2026-53269)

In the Linux kernel, the following vulnerability has been resolved:

ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: Fix use-after-free when processing MLD queries (CVE-2026-53275)

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix NULL pointer dereference in bond_do_ioctl()

In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:

slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;

The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.

This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.

Fix by moving the slave_dbg() call after the NULL check. (CVE-2026-53337)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack: destroy stale expectfn expectations on unregister

NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.

When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:

Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]

Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.

Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops. (CVE-2026-53349)

In the Linux kernel, the following vulnerability has been resolved:

signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()

When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.

When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:

sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>

Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one. (CVE-2026-53352)

In the Linux kernel, the following vulnerability has been resolved:

arm64: errata: Mitigate TLBI errata on various Arm CPUs

A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.

These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.

This issue has been assigned CVE ID CVE-2025-10263.

To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.

The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.

Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number. (CVE-2026-53354)

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356)


Affected Packages:

kernel


Issue Correction:
Run dnf update kernel --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1924 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    kernel-tools-devel-6.1.176-220.358.amzn2023.aarch64
    kernel-livepatch-6.1.176-220.358-1.0-0.amzn2023.aarch64
    python3-perf-debuginfo-6.1.176-220.358.amzn2023.aarch64
    perf-debuginfo-6.1.176-220.358.amzn2023.aarch64
    kernel-tools-6.1.176-220.358.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.176-220.358.amzn2023.aarch64
    kernel-modules-extra-common-6.1.176-220.358.amzn2023.aarch64
    perf-6.1.176-220.358.amzn2023.aarch64
    bpftool-6.1.176-220.358.amzn2023.aarch64
    kernel-6.1.176-220.358.amzn2023.aarch64
    kernel-headers-6.1.176-220.358.amzn2023.aarch64
    kernel-modules-extra-6.1.176-220.358.amzn2023.aarch64
    python3-perf-6.1.176-220.358.amzn2023.aarch64
    kernel-debuginfo-6.1.176-220.358.amzn2023.aarch64
    bpftool-debuginfo-6.1.176-220.358.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.176-220.358.amzn2023.aarch64
    kernel-devel-6.1.176-220.358.amzn2023.aarch64

src:
    kernel-6.1.176-220.358.amzn2023.src

x86_64:
    perf-debuginfo-6.1.176-220.358.amzn2023.x86_64
    python3-perf-6.1.176-220.358.amzn2023.x86_64
    kernel-modules-extra-6.1.176-220.358.amzn2023.x86_64
    kernel-debuginfo-6.1.176-220.358.amzn2023.x86_64
    kernel-livepatch-6.1.176-220.358-1.0-0.amzn2023.x86_64
    python3-perf-debuginfo-6.1.176-220.358.amzn2023.x86_64
    kernel-modules-extra-common-6.1.176-220.358.amzn2023.x86_64
    kernel-headers-6.1.176-220.358.amzn2023.x86_64
    bpftool-debuginfo-6.1.176-220.358.amzn2023.x86_64
    kernel-tools-devel-6.1.176-220.358.amzn2023.x86_64
    kernel-tools-6.1.176-220.358.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.176-220.358.amzn2023.x86_64
    bpftool-6.1.176-220.358.amzn2023.x86_64
    perf-6.1.176-220.358.amzn2023.x86_64
    kernel-6.1.176-220.358.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.176-220.358.amzn2023.x86_64
    kernel-devel-6.1.176-220.358.amzn2023.x86_64