ALAS2023-2026-1897

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1897
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-24

Severity: Important

References: CVE-2026-47262 CVE-2026-50195 CVE-2026-53488 CVE-2026-53489 CVE-2026-53492
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Memory exhaustion DoS causing OOM kill of containerd process

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq (CVE-2026-47262)

Image cache poisoning via unvalidated checkpoint image references, enabling cross-pod code execution

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574 (CVE-2026-50195)

Arbitrary host command execution through unvalidated image config labels propagated to containers

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp (CVE-2026-53488)

Arbitrary file read on host via symlinked container log paths during checkpoint restore

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388 (CVE-2026-53489)

Device and host mount injection via CDI annotations in checkpoint metadata (requires CDI enabled on node)

NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc (CVE-2026-53492)

Affected Packages:

containerd

Issue Correction:
Run dnf update containerd --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1897 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    containerd-stress-debuginfo-2.2.4-1.amzn2023.0.3.aarch64
    containerd-debuginfo-2.2.4-1.amzn2023.0.3.aarch64
    containerd-2.2.4-1.amzn2023.0.3.aarch64
    containerd-stress-2.2.4-1.amzn2023.0.3.aarch64
    containerd-debugsource-2.2.4-1.amzn2023.0.3.aarch64

src:
    containerd-2.2.4-1.amzn2023.0.3.src

x86_64:
    containerd-debuginfo-2.2.4-1.amzn2023.0.3.x86_64
    containerd-stress-2.2.4-1.amzn2023.0.3.x86_64
    containerd-stress-debuginfo-2.2.4-1.amzn2023.0.3.x86_64
    containerd-2.2.4-1.amzn2023.0.3.x86_64
    containerd-debugsource-2.2.4-1.amzn2023.0.3.x86_64

Changelog:

2026-06-24: CVE-2026-50195 was added to this advisory.

2026-06-24: CVE-2026-53489 was added to this advisory.

2026-06-24: CVE-2026-47262 was added to this advisory.

2026-06-24: CVE-2026-53492 was added to this advisory.

2026-06-24: CVE-2026-53488 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-47262, CVE-2026-50195, CVE-2026-53488, CVE-2026-53489, CVE-2026-53492

Mitre: CVE-2026-47262, CVE-2026-50195, CVE-2026-53488, CVE-2026-53489, CVE-2026-53492