Amazon Linux 2 : rclone, --advisory ALAS2-2026-3348 (ALAS-2026-3348)

🗓️ 08 Jun 2026 00:00:00Reported by TenableType

Rclone before 1.55.1-1 on Amazon Linux 2 fixes key size limits and revocation checks.

Reporter	Title	Published	Views	Family All 3777
ATTACKERKB	CVE-2026-39833	22 May 202602:31	–	attackerkb
ATTACKERKB	CVE-2026-39830	22 May 202602:31	–	attackerkb
ATTACKERKB	CVE-2026-39831	22 May 202602:31	–	attackerkb
ATTACKERKB	CVE-2026-42508	22 May 202602:31	–	attackerkb
ATTACKERKB	CVE-2026-39829	22 May 202602:31	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1783)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1784)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1788)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1809)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : rclone (ALAS2023-2026-1810)	8 Jun 202600:00	–	nessus

Source	Link
alas	www.alas.aws.amazon.com//AL2/ALAS2-2026-3348.html
alas	www.alas.aws.amazon.com/faqs.html
explore	www.explore.alas.aws.amazon.com/CVE-2026-39829.html
explore	www.explore.alas.aws.amazon.com/CVE-2026-39830.html
explore	www.explore.alas.aws.amazon.com/CVE-2026-39831.html
explore	www.explore.alas.aws.amazon.com/CVE-2026-39833.html
explore	www.explore.alas.aws.amazon.com/CVE-2026-42508.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2026-3348.
##

include('compat.inc');

if (description)
{
  script_id(319862);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");

  script_cve_id(
    "CVE-2026-39829",
    "CVE-2026-39830",
    "CVE-2026-39831",
    "CVE-2026-39833",
    "CVE-2026-42508"
  );
  script_xref(name:"IAVB", value:"2026-B-0120");

  script_name(english:"Amazon Linux 2 : rclone, --advisory ALAS2-2026-3348 (ALAS-2026-3348)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of rclone installed on the remote host is prior to 1.55.1-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2026-3348 advisory.

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key
    with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during
    signature verification. This could be triggered by unauthenticated clients during public key
    authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
    (CVE-2026-39829)

    A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking
    the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a
    resource leak per connection. Unsolicited global responses are now discarded. (CVE-2026-39830)

    The Verify() method for FIDO/U2F security key types ([email protected], sk-ssh-
    [email protected]) did not check the User Presence flag. Signatures generated without physical touch
    were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,
    return a no-touch-required extension in Permissions.Extensions from PublicKeyCallback. (CVE-2026-39831)

    The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint
    but never enforced it. The key would sign without any confirmation prompt, with no indication to the
    caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported
    constraints are requested. (CVE-2026-39833)

    Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both
    the 'key' and 'key.SignatureKey' are checked for @revoked. (CVE-2026-42508)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2026-3348.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39829.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39830.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39831.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39833.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-42508.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update rclone' or
  or 'yum update --advisory ALAS2-2026-3348' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42508");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rclone");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rclone-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'rclone-1.55.1-1.amzn2.0.7', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rclone-1.55.1-1.amzn2.0.7', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rclone-debuginfo-1.55.1-1.amzn2.0.7', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rclone-debuginfo-1.55.1-1.amzn2.0.7', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rclone / rclone-debuginfo");
}

08 Jun 2026 00:00Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.19.1

EPSS0.00054

SSVC