ALAS2023-2026-1648

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1648
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14

Severity: Important

References: CVE-2026-25547 CVE-2026-27135
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. (CVE-2026-25547)

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available. (CVE-2026-27135)

Affected Packages:

nodejs22

Issue Correction:
Run dnf update nodejs22 --releasever 2023.11.20260511 or dnf update --advisory ALAS2023-2026-1648 --releasever 2023.11.20260511 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    nodejs22-libs-debuginfo-22.22.2-1.amzn2023.0.3.aarch64
    v8-12.4-devel-12.4.254.21-1.22.22.2.1.amzn2023.0.3.aarch64
    nodejs22-full-i18n-22.22.2-1.amzn2023.0.3.aarch64
    nodejs22-debuginfo-22.22.2-1.amzn2023.0.3.aarch64
    nodejs22-devel-22.22.2-1.amzn2023.0.3.aarch64
    nodejs22-libs-22.22.2-1.amzn2023.0.3.aarch64
    nodejs22-22.22.2-1.amzn2023.0.3.aarch64
    nodejs22-npm-10.9.7-1.22.22.2.1.amzn2023.0.3.aarch64
    nodejs22-debugsource-22.22.2-1.amzn2023.0.3.aarch64

noarch:
    nodejs22-docs-22.22.2-1.amzn2023.0.3.noarch

src:
    nodejs22-22.22.2-1.amzn2023.0.3.src

x86_64:
    nodejs22-libs-debuginfo-22.22.2-1.amzn2023.0.3.x86_64
    nodejs22-debuginfo-22.22.2-1.amzn2023.0.3.x86_64
    nodejs22-devel-22.22.2-1.amzn2023.0.3.x86_64
    nodejs22-22.22.2-1.amzn2023.0.3.x86_64
    nodejs22-libs-22.22.2-1.amzn2023.0.3.x86_64
    nodejs22-full-i18n-22.22.2-1.amzn2023.0.3.x86_64
    v8-12.4-devel-12.4.254.21-1.22.22.2.1.amzn2023.0.3.x86_64
    nodejs22-npm-10.9.7-1.22.22.2.1.amzn2023.0.3.x86_64
    nodejs22-debugsource-22.22.2-1.amzn2023.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-25547, CVE-2026-27135

Mitre: CVE-2026-25547, CVE-2026-27135