ALAS2-2026-3324

Amazon Linux 2 Security Advisory: ALAS2-2026-3324
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08
Severity: Important
Issue Overview:

A remotely triggerable underflow in the DTLS reassembly code led to a heap overrun. The issue was reported in the issue tracker as #1811 by Joshua Rogers of AISLE Research Team. (CVE-2026-33845)

GnuTLS didn't check that DTLS fragments claimed a consistent message_length value. Additionally, a crucial array size check was missing, enabling an attacker to cause a heap overwrite. (CVE-2026-33846)

The comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour. (CVE-2026-42009)


Affected Packages:

gnutls


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update gnutls or yum update --advisory ALAS2-2026-3324 to update your system.

New Packages:
aarch64:
    gnutls-3.3.29-9.amzn2.0.4.aarch64
    gnutls-c++-3.3.29-9.amzn2.0.4.aarch64
    gnutls-devel-3.3.29-9.amzn2.0.4.aarch64
    gnutls-utils-3.3.29-9.amzn2.0.4.aarch64
    gnutls-dane-3.3.29-9.amzn2.0.4.aarch64
    gnutls-debuginfo-3.3.29-9.amzn2.0.4.aarch64

i686:
    gnutls-3.3.29-9.amzn2.0.4.i686
    gnutls-c++-3.3.29-9.amzn2.0.4.i686
    gnutls-devel-3.3.29-9.amzn2.0.4.i686
    gnutls-utils-3.3.29-9.amzn2.0.4.i686
    gnutls-dane-3.3.29-9.amzn2.0.4.i686
    gnutls-debuginfo-3.3.29-9.amzn2.0.4.i686

src:
    gnutls-3.3.29-9.amzn2.0.4.src

x86_64:
    gnutls-3.3.29-9.amzn2.0.4.x86_64
    gnutls-c++-3.3.29-9.amzn2.0.4.x86_64
    gnutls-devel-3.3.29-9.amzn2.0.4.x86_64
    gnutls-utils-3.3.29-9.amzn2.0.4.x86_64
    gnutls-dane-3.3.29-9.amzn2.0.4.x86_64
    gnutls-debuginfo-3.3.29-9.amzn2.0.4.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2026-33845, CVE-2026-33846, CVE-2026-42009

Mitre: CVE-2026-33845, CVE-2026-33846, CVE-2026-42009