Skip to main content

aws-c-http CVE-2026-12043

| EUVD-2026-36541 HIGH
Double Free (CWE-415)
2026-06-12 AMZN
Buffer Overflow RCE Aws C Http
8.7
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable client-side flaw needing the victim to connect to a malicious HTTP/2 server (UI:R), heap grooming for RCE pushes AC:H; no auth required, full CIA impact on the client process.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 12, 2026 - 19:26 vuln.today
Analysis Generated
Jun 12, 2026 - 19:26 vuln.today
CVSS changed
Jun 12, 2026 - 19:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames.

To remediate this issue, users should upgrade to aws-c-http version 0.11.0.

AnalysisAI

Client-side memory corruption in the AWS Common Runtime aws-c-http library can be triggered by a malicious HTTP/2 server that sends a crafted sequence of HEADERS frames manipulating the HPACK dynamic table size, potentially leading to arbitrary code execution in applications that use the library as an HTTP/2 client. The CVSS 4.0 score of 8.7 (High) reflects network reachability with low complexity but requires user/client interaction (initiating a connection to the attacker server). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure client to attacker HTTP/2 server
Delivery
Negotiate h2 via ALPN
Exploit
Send crafted HEADERS with HPACK size updates
Execution
Trigger double free in dynamic table resize
Persist
Groom heap for control of freed chunk
Impact
Execute arbitrary code in client process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim application must use aws-c-http (or a downstream AWS CRT SDK that bundles it) as an HTTP/2 client and must initiate or accept an HTTP/2 (h2) connection to a server controlled or influenced by the attacker - that client-initiated outbound connection to a malicious server is the UI:P interaction in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here are mixed and need to be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a hostile HTTP/2 server (or compromises an upstream a victim already connects to, such as a webhook receiver or a redirected fetcher target) and lures or waits for an aws-c-http-based client - an AWS SDK application, an IoT device, a server-side URL fetcher - to open a connection. During the HTTP/2 exchange the server emits a crafted sequence of HEADERS frames carrying HPACK dynamic table size updates that hit the rounding edge case, triggering a double free in the client's decoder and corrupting the heap. …
Remediation Vendor-released patch: aws-c-http 0.11.0 - upgrade directly via the GitHub release at https://github.com/awslabs/aws-c-http/releases/tag/v0.11.0, or rebuild/refresh any downstream AWS CRT-based SDK (aws-crt-python, aws-crt-java, aws-crt-cpp, AWS SDK for C++, AWS IoT Device SDK v2) once it ships a release that bundles aws-c-http >= 0.11.0, per the AWS bulletin at https://aws.amazon.com/security/security-bulletins/2026-043-aws/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications and services using aws-c-http library; prioritize those accepting HTTP/2 connections from external sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12043 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy