ALAS2023-2025-1042

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1042
Advisory Released Date: 2025-06-23
Advisory Updated Date: 2025-06-23

Severity: Medium

References: CVE-2025-0838
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 (CVE-2025-0838)

Affected Packages:

abseil-cpp

Issue Correction:
Run dnf update abseil-cpp --releasever 2023.7.20250623 to update your system.

New Packages:

aarch64:
    abseil-cpp-debugsource-20220623.1-4.amzn2023.0.2.aarch64
    abseil-cpp-debuginfo-20220623.1-4.amzn2023.0.2.aarch64
    abseil-cpp-20220623.1-4.amzn2023.0.2.aarch64
    abseil-cpp-devel-20220623.1-4.amzn2023.0.2.aarch64

src:
    abseil-cpp-20220623.1-4.amzn2023.0.2.src

x86_64:
    abseil-cpp-debugsource-20220623.1-4.amzn2023.0.2.x86_64
    abseil-cpp-debuginfo-20220623.1-4.amzn2023.0.2.x86_64
    abseil-cpp-20220623.1-4.amzn2023.0.2.x86_64
    abseil-cpp-devel-20220623.1-4.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-0838

Mitre: CVE-2025-0838