ALAS2023-2026-1757

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1757
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-33846 CVE-2026-3833 CVE-2026-42009 CVE-2026-42010 CVE-2026-42014 CVE-2026-42015 CVE-2026-5260
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

GnuTLS didn't check that DTLS fragments claimed a consistent message_length value. Additionally, a crucial array size check was missing, enabling an attacker to cause a heap overwrite. (CVE-2026-33846)

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. (CVE-2026-3833)

The comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour. (CVE-2026-42009)

Servers configured with RSA-PSK wrongfully matched usernames with NUL character in them to ones truncated to NUL character, which could lead to an authentication bypass. (CVE-2026-42010)

Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free. (CVE-2026-42014)

Appending to a PKCS#12 bag that already contained 32 elements could write past the bag's internal array. (CVE-2026-42015)

For a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread. (CVE-2026-5260)

Affected Packages:

gnutls

Issue Correction:
Run dnf update gnutls --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1757 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    gnutls-dane-debuginfo-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-debuginfo-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-c++-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-c++-debuginfo-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-utils-debuginfo-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-dane-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-utils-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-debugsource-3.8.3-8.amzn2023.0.3.aarch64
    gnutls-devel-3.8.3-8.amzn2023.0.3.aarch64

src:
    gnutls-3.8.3-8.amzn2023.0.3.src

x86_64:
    gnutls-utils-debuginfo-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-debuginfo-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-dane-debuginfo-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-c++-debuginfo-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-debugsource-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-dane-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-c++-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-utils-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-3.8.3-8.amzn2023.0.3.x86_64
    gnutls-devel-3.8.3-8.amzn2023.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-33846, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260

Mitre: CVE-2026-33846, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260