ALAS2KERNEL-5.4-2026-118

Amazon Linux 2 Security Advisory: ALAS2KERNEL-5.4-2026-118
Advisory Released Date: 2026-02-19
Advisory Updated Date: 2026-02-19

Severity: Important

References: CVE-2025-40083 CVE-2025-40248 CVE-2025-40254 CVE-2025-40259 CVE-2025-40271 CVE-2025-40280 CVE-2025-40281 CVE-2025-40304 CVE-2025-40322 CVE-2025-40331 CVE-2025-40363 CVE-2025-68177 CVE-2025-68185 CVE-2025-68192 CVE-2025-68229 CVE-2025-68241 CVE-2025-68245 CVE-2025-68312
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_qfq: Fix null-deref in agg_dequeue (CVE-2025-40083)

In the Linux kernel, the following vulnerability has been resolved:

vsock: Ignore signal/timeout on connect() if already established (CVE-2025-40248)

In the Linux kernel, the following vulnerability has been resolved:

net: openvswitch: remove never-working support for setting nsh fields (CVE-2025-40254)

In the Linux kernel, the following vulnerability has been resolved:

scsi: sg: Do not sleep in atomic context (CVE-2025-40259)

In the Linux kernel, the following vulnerability has been resolved:

fs/proc: fix uaf in proc_readdir_de() (CVE-2025-40271)

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free in tipc_mon_reinit_self(). (CVE-2025-40280)

In the Linux kernel, the following vulnerability has been resolved:

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto (CVE-2025-40281)

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (CVE-2025-40304)

In the Linux kernel, the following vulnerability has been resolved:

fbdev: bitblit: bound-check glyph index in bit_putcs* (CVE-2025-40322)

In the Linux kernel, the following vulnerability has been resolved:

sctp: Prevent TOCTOU out-of-bounds write (CVE-2025-40331)

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix field-spanning memcpy warning in AH output (CVE-2025-40363)

In the Linux kernel, the following vulnerability has been resolved:

cpufreq/longhaul: handle NULL policy in longhaul_exit (CVE-2025-68177)

In the Linux kernel, the following vulnerability has been resolved:

nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing (CVE-2025-68185)

In the Linux kernel, the following vulnerability has been resolved:

net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup (CVE-2025-68192)

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() (CVE-2025-68229)

In the Linux kernel, the following vulnerability has been resolved:

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (CVE-2025-68241)

In the Linux kernel, the following vulnerability has been resolved:

net: netpoll: fix incorrect refcount handling causing incorrect cleanup (CVE-2025-68245)

In the Linux kernel, the following vulnerability has been resolved:

usbnet: Prevents free active kevent (CVE-2025-68312)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel or yum update --advisory ALAS2KERNEL-5.4-2026-118 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-5.4.302-222.451.amzn2.aarch64
    kernel-headers-5.4.302-222.451.amzn2.aarch64
    kernel-debuginfo-common-aarch64-5.4.302-222.451.amzn2.aarch64
    perf-5.4.302-222.451.amzn2.aarch64
    perf-debuginfo-5.4.302-222.451.amzn2.aarch64
    python-perf-5.4.302-222.451.amzn2.aarch64
    python-perf-debuginfo-5.4.302-222.451.amzn2.aarch64
    kernel-tools-5.4.302-222.451.amzn2.aarch64
    kernel-tools-devel-5.4.302-222.451.amzn2.aarch64
    kernel-tools-debuginfo-5.4.302-222.451.amzn2.aarch64
    bpftool-5.4.302-222.451.amzn2.aarch64
    bpftool-debuginfo-5.4.302-222.451.amzn2.aarch64
    kernel-devel-5.4.302-222.451.amzn2.aarch64
    kernel-debuginfo-5.4.302-222.451.amzn2.aarch64

i686:
    kernel-headers-5.4.302-222.451.amzn2.i686

src:
    kernel-5.4.302-222.451.amzn2.src

x86_64:
    kernel-5.4.302-222.451.amzn2.x86_64
    kernel-headers-5.4.302-222.451.amzn2.x86_64
    kernel-debuginfo-common-x86_64-5.4.302-222.451.amzn2.x86_64
    perf-5.4.302-222.451.amzn2.x86_64
    perf-debuginfo-5.4.302-222.451.amzn2.x86_64
    python-perf-5.4.302-222.451.amzn2.x86_64
    python-perf-debuginfo-5.4.302-222.451.amzn2.x86_64
    kernel-tools-5.4.302-222.451.amzn2.x86_64
    kernel-tools-devel-5.4.302-222.451.amzn2.x86_64
    kernel-tools-debuginfo-5.4.302-222.451.amzn2.x86_64
    bpftool-5.4.302-222.451.amzn2.x86_64
    bpftool-debuginfo-5.4.302-222.451.amzn2.x86_64
    kernel-devel-5.4.302-222.451.amzn2.x86_64
    kernel-debuginfo-5.4.302-222.451.amzn2.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-40083, CVE-2025-40248, CVE-2025-40254, CVE-2025-40259, CVE-2025-40271, CVE-2025-40280, CVE-2025-40281, CVE-2025-40304, CVE-2025-40322, CVE-2025-40331, CVE-2025-40363, CVE-2025-68177, CVE-2025-68185, CVE-2025-68192, CVE-2025-68229, CVE-2025-68241, CVE-2025-68245, CVE-2025-68312

Mitre: CVE-2025-40083, CVE-2025-40248, CVE-2025-40254, CVE-2025-40259, CVE-2025-40271, CVE-2025-40280, CVE-2025-40281, CVE-2025-40304, CVE-2025-40322, CVE-2025-40331, CVE-2025-40363, CVE-2025-68177, CVE-2025-68185, CVE-2025-68192, CVE-2025-68229, CVE-2025-68241, CVE-2025-68245, CVE-2025-68312