Amazon Linux 2023 Security Advisory: ALAS2023-2026-1792
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08
Severity:
Medium
References:
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
A denial of service vulnerability (GHSA-XMRV-PMRH-HHX2) was found in the bundled AWS SDK for Go v2 EventStream decoder used by credentials-fetcher. An attacker who can inject a malformed EventStream response frame with a crafted header value type byte outside the valid range can cause a panic, terminating the host process.
Affected Packages:
credentials-fetcher
Issue Correction:
Run dnf update credentials-fetcher --releasever 2023.12.20260608 or dnf update --advisory ALAS2023-2026-1792 --releasever 2023.12.20260608 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
credentials-fetcher-2.0.2-1.amzn2023.0.1.aarch64
src:
credentials-fetcher-2.0.2-1.amzn2023.0.1.src
x86_64:
credentials-fetcher-2.0.2-1.amzn2023.0.1.x86_64