Amazon Linux 2023 Security Advisory: ALAS2023-2026-1836
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
Severity:
Low
Issue Overview:
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.
The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.
The read may disclose adjacent heap contents into the destination SV. (CVE-2026-8829)
Affected Packages:
perl-HTML-Parser
Issue Correction:
Run dnf update perl-HTML-Parser --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1836 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
perl-HTML-Parser-debugsource-3.76-1.amzn2023.0.4.aarch64
perl-HTML-Parser-debuginfo-3.76-1.amzn2023.0.4.aarch64
perl-HTML-Parser-tests-3.76-1.amzn2023.0.4.aarch64
perl-HTML-Parser-3.76-1.amzn2023.0.4.aarch64
src:
perl-HTML-Parser-3.76-1.amzn2023.0.4.src
x86_64:
perl-HTML-Parser-debugsource-3.76-1.amzn2023.0.4.x86_64
perl-HTML-Parser-debuginfo-3.76-1.amzn2023.0.4.x86_64
perl-HTML-Parser-tests-3.76-1.amzn2023.0.4.x86_64
perl-HTML-Parser-3.76-1.amzn2023.0.4.x86_64