Skip to main content

Amazon Athena Odbc Driver CVE-2026-35559

| EUVDEUVD-2026-18853 HIGH
Out-of-bounds Write (CWE-787)
2026-04-03 AMZN
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18853
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:13 nvd
HIGH 7.1

DescriptionCVE.org

Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations.

To remediate this issue, users should upgrade to version 2.1.0.0.

AnalysisAI

Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.

Technical ContextAI

This vulnerability stems from a CWE-787 out-of-bounds write condition in the query processing components of the Amazon Athena ODBC (Open Database Connectivity) driver. ODBC drivers act as middleware translating application database requests into commands the database engine can process. The affected component processes query operations and fails to properly validate bounds when handling specially crafted input data, allowing writes beyond allocated memory buffers. The Amazon Athena ODBC driver (CPE: cpe:2.3:a:amazon:amazon_athena_odbc_driver) enables SQL-based applications to connect to Amazon Athena, AWS's serverless interactive query service. Out-of-bounds write vulnerabilities in database drivers are particularly concerning as they handle untrusted data from query results and parameters, creating opportunities for memory corruption attacks. While the CVSS 4.0 vector indicates this specific instance results in availability impact (driver crash) rather than code execution, the CWE-787 class encompasses buffer overflows that historically enable arbitrary code execution when exploited with greater sophistication.

RemediationAI

Users must upgrade to Amazon Athena ODBC driver version 2.1.0.0 immediately to remediate this vulnerability. Amazon has released patched versions for all supported platforms with direct download links: Windows users should install AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux users should deploy the RPM package from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS ARM users should install https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg, and macOS Intel users should use https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg. Comprehensive release notes are available at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html. No workarounds are documented; upgrading to version 2.1.0.0 is the only effective remediation per AWS security bulletin 2026-013. Organizations should prioritize upgrades for systems processing queries from untrusted or external data sources.

Share

CVE-2026-35559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy