ALAS2023-2026-1714

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1714
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-40460 CVE-2026-40701 CVE-2026-42926 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-40460)

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-40701)

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42926)

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42934)

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42945)

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42946)

Affected Packages:

nginx

Issue Correction:
Run dnf update nginx --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1714 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    nginx-mod-mail-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-stream-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-perl-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-core-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-xslt-filter-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-xslt-filter-1.30.1-1.amzn2023.0.1.aarch64
    nginx-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-image-filter-debuginfo-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-mail-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-image-filter-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-http-perl-1.30.1-1.amzn2023.0.1.aarch64
    nginx-debugsource-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-stream-1.30.1-1.amzn2023.0.1.aarch64
    nginx-mod-devel-1.30.1-1.amzn2023.0.1.aarch64
    nginx-core-1.30.1-1.amzn2023.0.1.aarch64

noarch:
    nginx-all-modules-1.30.1-1.amzn2023.0.1.noarch
    nginx-filesystem-1.30.1-1.amzn2023.0.1.noarch

src:
    nginx-1.30.1-1.amzn2023.0.1.src

x86_64:
    nginx-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-debugsource-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-xslt-filter-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-xslt-filter-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-perl-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-perl-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-stream-1.30.1-1.amzn2023.0.1.x86_64
    nginx-core-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-core-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-stream-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-image-filter-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-http-image-filter-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-devel-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-mail-debuginfo-1.30.1-1.amzn2023.0.1.x86_64
    nginx-1.30.1-1.amzn2023.0.1.x86_64
    nginx-mod-mail-1.30.1-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-40460, CVE-2026-40701, CVE-2026-42926, CVE-2026-42934, CVE-2026-42945, CVE-2026-42946

Mitre: CVE-2026-40460, CVE-2026-40701, CVE-2026-42926, CVE-2026-42934, CVE-2026-42945, CVE-2026-42946