ALAS2-2026-3326

Amazon Linux 2 Security Advisory: ALAS2-2026-3326
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Medium

References: CVE-2026-7010
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server. (CVE-2026-7010)

Affected Packages:

perl-HTTP-Tiny

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update perl-HTTP-Tiny or yum update --advisory ALAS2-2026-3326 to update your system.

New Packages:

noarch:
    perl-HTTP-Tiny-0.033-3.amzn2.0.2.noarch

src:
    perl-HTTP-Tiny-0.033-3.amzn2.0.2.src

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-7010

Mitre: CVE-2026-7010