ALAS2023-2026-1716

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1716
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26
Severity: Important
Issue Overview:

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. (CVE-2026-33811)

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. (CVE-2026-33814)

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. (CVE-2026-39820)

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. (CVE-2026-39823)

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. (CVE-2026-42499)


Affected Packages:

yq


Issue Correction:
Run dnf update yq --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1716 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    yq-debuginfo-4.47.1-13.amzn2023.aarch64
    yq-4.47.1-13.amzn2023.aarch64
    yq-debugsource-4.47.1-13.amzn2023.aarch64

src:
    yq-4.47.1-13.amzn2023.src

x86_64:
    yq-debugsource-4.47.1-13.amzn2023.x86_64
    yq-debuginfo-4.47.1-13.amzn2023.x86_64
    yq-4.47.1-13.amzn2023.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-42499

Mitre: CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-42499