ALAS2DOCKER-2026-129

Amazon Linux 2 Security Advisory: ALAS2DOCKER-2026-129
Advisory Released Date: 2026-06-12
Advisory Updated Date: 2026-06-12
Severity: Important
Issue Overview:

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. (CVE-2026-25680)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-25681)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-27136)

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". (CVE-2026-39821)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42502)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42506)


Affected Packages:

docker


Note:

This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update docker or yum update --advisory ALAS2DOCKER-2026-129 to update your system.

New Packages:
aarch64:
    docker-25.0.16-1.amzn2.0.2.aarch64
    docker-debuginfo-25.0.16-1.amzn2.0.2.aarch64

src:
    docker-25.0.16-1.amzn2.0.2.src

x86_64:
    docker-25.0.16-1.amzn2.0.2.x86_64
    docker-debuginfo-25.0.16-1.amzn2.0.2.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506

Mitre: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506