ALAS2DOCKER-2026-132

Amazon Linux 2 Security Advisory: ALAS2DOCKER-2026-132
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
Severity: Important
Issue Overview:

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. (CVE-2026-25680)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-25681)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-27136)

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". (CVE-2026-39821)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42502)

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. (CVE-2026-42504)

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. (CVE-2026-42506)


Affected Packages:

runfinch-finch


Note:

This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update runfinch-finch or yum update --advisory ALAS2DOCKER-2026-132 to update your system.

New Packages:
aarch64:
    runfinch-finch-1.17.1-1.amzn2.0.3.aarch64

src:
    runfinch-finch-1.17.1-1.amzn2.0.3.src

x86_64:
    runfinch-finch-1.17.1-1.amzn2.0.3.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42504, CVE-2026-42506

Mitre: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42504, CVE-2026-42506