CVE-2026-39821

Public on 2026-05-22
Modified on 2026-06-05
Description
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent Pending Fix
Amazon Linux 2023 amazon-cloudwatch-agent Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2 - Ecs Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2023 amazon-ecr-credential-helper Not Affected
Amazon Linux 2 - Core amazon-ssm-agent Not Affected
Amazon Linux 2023 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core cni-plugins Pending Fix
Amazon Linux 2023 cni-plugins Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd Pending Fix
Amazon Linux 2 - Docker Extra containerd Pending Fix
Amazon Linux 2 - Ecs Extra containerd Pending Fix
Amazon Linux 2023 containerd Pending Fix
Amazon Linux 2023 credentials-fetcher Pending Fix
Amazon Linux 2 - Core cri-tools Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker Pending Fix
Amazon Linux 2 - Docker Extra docker Pending Fix
Amazon Linux 2 - Ecs Extra docker Pending Fix
Amazon Linux 2023 docker Pending Fix
Amazon Linux 2 - Ecs Extra ecs-init Pending Fix
Amazon Linux 2023 ecs-init Pending Fix
Amazon Linux 2023 git-lfs Pending Fix
Amazon Linux 2 - Core golang Not Affected
Amazon Linux 2 - Golang1.11 Extra golang No Fix Planned
Amazon Linux 2 - Golang1.19 Extra golang No Fix Planned
Amazon Linux 2 - Golang1.9 Extra golang No Fix Planned
Amazon Linux 2023 golang Not Affected
Amazon Linux 2023 golang-github-burntsushi-toml Not Affected
Amazon Linux 2023 golang-github-burntsushi-toml-test Not Affected
Amazon Linux 2023 golang-github-cpuguy83-md2man Not Affected
Amazon Linux 2 - Core golist Not Affected
Amazon Linux 2023 golist Not Affected
Amazon Linux 2023 libcap Not Affected
Amazon Linux 2 - Core nerdctl Pending Fix
Amazon Linux 2023 nerdctl Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra oci-add-hooks Not Affected
Amazon Linux 2 - Docker Extra oci-add-hooks Not Affected
Amazon Linux 2 - Ecs Extra oci-add-hooks Not Affected
Amazon Linux 2023 oci-add-hooks Not Affected
Amazon Linux 2 - Core rclone Pending Fix
Amazon Linux 2023 rclone Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra runc Not Affected
Amazon Linux 2 - Docker Extra runc Not Affected
Amazon Linux 2 - Ecs Extra runc Not Affected
Amazon Linux 2023 runc Not Affected
Amazon Linux 2 - Docker Extra runfinch-finch Pending Fix
Amazon Linux 2023 runfinch-finch Pending Fix
Amazon Linux 2 - Docker Extra soci-snapshotter Pending Fix
Amazon Linux 2023 soci-snapshotter Pending Fix
Amazon Linux 2023 yq Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-39821 Mitre: CVE-2026-39821