CVE-2026-39833

Public on 2026-05-22
Modified on 2026-05-22
Description
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.7
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent Pending Fix
Amazon Linux 2023 amazon-cloudwatch-agent Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd Pending Fix
Amazon Linux 2 - Docker Extra containerd Pending Fix
Amazon Linux 2 - Ecs Extra containerd Pending Fix
Amazon Linux 2023 containerd Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker Pending Fix
Amazon Linux 2 - Docker Extra docker Pending Fix
Amazon Linux 2 - Ecs Extra docker Pending Fix
Amazon Linux 2023 docker Pending Fix
Amazon Linux 2023 git-lfs Pending Fix
Amazon Linux 2 - Core nerdctl Pending Fix
Amazon Linux 2023 nerdctl Pending Fix
Amazon Linux 2 - Core rclone Pending Fix
Amazon Linux 2023 rclone Pending Fix
Amazon Linux 2 - Docker Extra runfinch-finch Pending Fix
Amazon Linux 2023 runfinch-finch Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-39833 Mitre: CVE-2026-39833