ALAS2-2026-3216

Amazon Linux 2 Security Advisory: ALAS2-2026-3216
Advisory Released Date: 2026-04-01
Advisory Updated Date: 2026-04-01

Severity: Important

References: CVE-2026-4177
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.

The heap overflow occurs when class names exceed the initial 512-byte allocation.

The base64 decoder could read past the buffer end on trailing newlines.

strtok mutated n->type_id in place, corrupting shared node data.

A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return. (CVE-2026-4177)

Affected Packages:

perl-YAML-Syck

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update perl-YAML-Syck or yum update --advisory ALAS2-2026-3216 to update your system.

New Packages:

aarch64:
    perl-YAML-Syck-1.27-3.amzn2.0.4.aarch64
    perl-YAML-Syck-debuginfo-1.27-3.amzn2.0.4.aarch64

i686:
    perl-YAML-Syck-1.27-3.amzn2.0.4.i686
    perl-YAML-Syck-debuginfo-1.27-3.amzn2.0.4.i686

src:
    perl-YAML-Syck-1.27-3.amzn2.0.4.src

x86_64:
    perl-YAML-Syck-1.27-3.amzn2.0.4.x86_64
    perl-YAML-Syck-debuginfo-1.27-3.amzn2.0.4.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-4177

Mitre: CVE-2026-4177