ALAS2-2026-3155

Amazon Linux 2 Security Advisory: ALAS2-2026-3155
Advisory Released Date: 2026-02-05
Advisory Updated Date: 2026-03-11

Severity: Medium

References: CVE-2025-47914 CVE-2025-58181
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. (CVE-2025-47914)

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. (CVE-2025-58181)

Affected Packages:

nerdctl

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update nerdctl or yum update --advisory ALAS2-2026-3155 to update your system.

New Packages:

aarch64:
    nerdctl-2.2.1-1.amzn2.0.1.aarch64
    nerdctl-debuginfo-2.2.1-1.amzn2.0.1.aarch64

src:
    nerdctl-2.2.1-1.amzn2.0.1.src

x86_64:
    nerdctl-2.2.1-1.amzn2.0.1.x86_64
    nerdctl-debuginfo-2.2.1-1.amzn2.0.1.x86_64

Changelog:

2026-03-11: CVE-2025-47914 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-47914, CVE-2025-58181

Mitre: CVE-2025-47914, CVE-2025-58181