CVE-2026-27139

Public on 2026-03-06
Modified on 2026-03-12
Description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent 2026-04-14 ALAS2-2026-3248 Fixed
Amazon Linux 2023 amazon-cloudwatch-agent 2026-04-13 ALAS2023-2026-1572 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra amazon-ecr-credential-helper 2026-04-14 ALAS2NITRO-ENCLAVES-2026-095 Fixed
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper 2026-04-14 ALAS2DOCKER-2026-109 Fixed
Amazon Linux 2 - Ecs Extra amazon-ecr-credential-helper 2026-04-14 ALAS2ECS-2026-103 Fixed
Amazon Linux 2023 amazon-ecr-credential-helper 2026-04-13 ALAS2023-2026-1574 Fixed
Amazon Linux 2023 amazon-ssm-agent Pending Fix
Amazon Linux 2 - Core cni-plugins Pending Fix
Amazon Linux 2023 cni-plugins Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2026-02-19 ALAS2NITRO-ENCLAVES-2026-092 Fixed
Amazon Linux 2 - Docker Extra containerd 2026-04-14 ALAS2DOCKER-2026-104 Fixed
Amazon Linux 2 - Ecs Extra containerd 2026-04-14 ALAS2ECS-2026-102 Fixed
Amazon Linux 2023 containerd 2026-04-13 ALAS2023-2026-1534 Fixed
Amazon Linux 2023 credentials-fetcher 2026-04-01 ALAS2023-2026-1501 Fixed
Amazon Linux 2 - Core cri-tools Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker 2026-04-14 ALAS2NITRO-ENCLAVES-2026-094 Fixed
Amazon Linux 2 - Docker Extra docker 2026-04-14 ALAS2DOCKER-2026-108 Fixed
Amazon Linux 2 - Ecs Extra docker 2026-04-14 ALAS2ECS-2026-106 Fixed
Amazon Linux 2023 docker 2026-04-13 ALAS2023-2026-1571 Fixed
Amazon Linux 2 - Ecs Extra ecs-init 2026-04-14 ALAS2ECS-2026-101 Fixed
Amazon Linux 2023 ecs-init 2026-04-13 ALAS2023-2026-1552 Fixed
Amazon Linux 2 - Core golang 2026-03-19 ALAS2-2026-3203 Fixed
Amazon Linux 2023 golang 2026-03-27 ALAS2023-2026-1482 Fixed
Amazon Linux 2 - Core golang-github-cpuguy83-go-md2man Not Affected
Amazon Linux 2 - Core golist 2026-03-19 ALAS2-2026-3202 Fixed
Amazon Linux 2023 golist 2026-04-01 ALAS2023-2026-1513 Fixed
Amazon Linux 2023 libcap Pending Fix
Amazon Linux 2 - Core nerdctl 2026-04-14 ALAS2-2026-3229 Fixed
Amazon Linux 2023 nerdctl 2026-04-13 ALAS2023-2026-1535 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra oci-add-hooks 2026-04-14 ALAS2NITRO-ENCLAVES-2026-096 Fixed
Amazon Linux 2 - Docker Extra oci-add-hooks 2026-04-14 ALAS2DOCKER-2026-110 Fixed
Amazon Linux 2 - Ecs Extra oci-add-hooks 2026-04-14 ALAS2ECS-2026-104 Fixed
Amazon Linux 2023 oci-add-hooks 2026-04-13 ALAS2023-2026-1575 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra runc 2026-04-14 ALAS2NITRO-ENCLAVES-2026-093 Fixed
Amazon Linux 2 - Docker Extra runc 2026-04-14 ALAS2DOCKER-2026-105 Fixed
Amazon Linux 2 - Ecs Extra runc 2026-04-14 ALAS2ECS-2026-105 Fixed
Amazon Linux 2023 runc 2026-04-13 ALAS2023-2026-1541 Fixed
Amazon Linux 2 - Docker Extra runfinch-finch 2026-02-19 ALAS2DOCKER-2026-103 Fixed
Amazon Linux 2023 runfinch-finch 2026-04-01 ALAS2023-2026-1507 Fixed
Amazon Linux 2 - Docker Extra soci-snapshotter 2026-04-14 ALAS2DOCKER-2026-107 Fixed
Amazon Linux 2023 soci-snapshotter 2026-04-13 ALAS2023-2026-1573 Fixed
Amazon Linux 2023 yq 2026-04-13 ALAS2023-2026-1582 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-27139 Mitre: CVE-2026-27139