ALAS2-2026-3173

Amazon Linux 2 Security Advisory: ALAS2-2026-3173
Advisory Released Date: 2026-02-19
Advisory Updated Date: 2026-02-19

Severity: Medium

References: CVE-2025-10966 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.

This prevents curl from detecting MITM attackers and more. (CVE-2025-10966)

broken TLS options for threaded LDAPS

NOTE: https://curl.se/docs/CVE-2025-14017.html
NOTE: Introduced with: https://github.com/curl/curl/commit/ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34 (curl-7_17_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d (rc-8_18_0-1, curl-8_18_0)
NOTE: Built with OpenLDAP (only affects the legacy LDAP support) (CVE-2025-14017)

bearer token leak on cross-protocol redirect

NOTE: https://curl.se/docs/CVE-2025-14524.html
NOTE: Introduced with: https://github.com/curl/curl/commit/06c1bea72faabb6fad4b7ef818aafaa336c9a7aa (curl-7_33_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640 (rc-8_18_0-2, curl-8_18_0) (CVE-2025-14524)

OpenSSL partial chain store policy bypass

NOTE: https://curl.se/docs/CVE-2025-14819.html
NOTE: Introduced with: https://github.com/curl/curl/commit/3c16697ebd796f799227be293e8689aec5f8190d (curl-7_87_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d (rc-8_18_0-3, curl-8_18_0) (CVE-2025-14819)

libssh global knownhost override

NOTE: https://curl.se/docs/CVE-2025-15079.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479 (rc-8_18_0-3, curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend (CVE-2025-15079)

libssh key passphrase bypass without agent set

NOTE: https://curl.se/docs/CVE-2025-15224.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa (curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend (CVE-2025-15224)

Affected Packages:

curl

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update curl or yum update --advisory ALAS2-2026-3173 to update your system.

New Packages:

aarch64:
    curl-8.3.0-1.amzn2.0.12.aarch64
    libcurl-8.3.0-1.amzn2.0.12.aarch64
    libcurl-devel-8.3.0-1.amzn2.0.12.aarch64
    curl-debuginfo-8.3.0-1.amzn2.0.12.aarch64

i686:
    curl-8.3.0-1.amzn2.0.12.i686
    libcurl-8.3.0-1.amzn2.0.12.i686
    libcurl-devel-8.3.0-1.amzn2.0.12.i686
    curl-debuginfo-8.3.0-1.amzn2.0.12.i686

src:
    curl-8.3.0-1.amzn2.0.12.src

x86_64:
    curl-8.3.0-1.amzn2.0.12.x86_64
    libcurl-8.3.0-1.amzn2.0.12.x86_64
    libcurl-devel-8.3.0-1.amzn2.0.12.x86_64
    curl-debuginfo-8.3.0-1.amzn2.0.12.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-10966, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224

Mitre: CVE-2025-10966, CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224