ALAS2023-2026-1729

References: CVE-2026-4890  CVE-2026-4891  CVE-2026-4892  CVE-2026-4893  CVE-2026-5172 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. (CVE-2026-4890)

A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. (CVE-2026-4891)

A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. (CVE-2026-4892)

An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information. (CVE-2026-4893)

A buffer overflow in dnsmasq's extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record's end. (CVE-2026-5172)

Issue Correction:
Run dnf update dnsmasq --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1729 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    dnsmasq-debuginfo-2.90-1.amzn2023.0.3.aarch64
    dnsmasq-utils-debuginfo-2.90-1.amzn2023.0.3.aarch64
    dnsmasq-debugsource-2.90-1.amzn2023.0.3.aarch64
    dnsmasq-utils-2.90-1.amzn2023.0.3.aarch64
    dnsmasq-2.90-1.amzn2023.0.3.aarch64

src:
    dnsmasq-2.90-1.amzn2023.0.3.src

x86_64:
    dnsmasq-debuginfo-2.90-1.amzn2023.0.3.x86_64
    dnsmasq-utils-debuginfo-2.90-1.amzn2023.0.3.x86_64
    dnsmasq-utils-2.90-1.amzn2023.0.3.x86_64
    dnsmasq-debugsource-2.90-1.amzn2023.0.3.x86_64
    dnsmasq-2.90-1.amzn2023.0.3.x86_64