Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations.
To remediate this issue, users should upgrade to version 2.1.0.0.
AnalysisAI
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.
Technical ContextAI
This vulnerability stems from a CWE-787 out-of-bounds write condition in the query processing components of the Amazon Athena ODBC (Open Database Connectivity) driver. ODBC drivers act as middleware translating application database requests into commands the database engine can process. The affected component processes query operations and fails to properly validate bounds when handling specially crafted input data, allowing writes beyond allocated memory buffers. The Amazon Athena ODBC driver (CPE: cpe:2.3:a:amazon:amazon_athena_odbc_driver) enables SQL-based applications to connect to Amazon Athena, AWS's serverless interactive query service. Out-of-bounds write vulnerabilities in database drivers are particularly concerning as they handle untrusted data from query results and parameters, creating opportunities for memory corruption attacks. While the CVSS 4.0 vector indicates this specific instance results in availability impact (driver crash) rather than code execution, the CWE-787 class encompasses buffer overflows that historically enable arbitrary code execution when exploited with greater sophistication.
RemediationAI
Users must upgrade to Amazon Athena ODBC driver version 2.1.0.0 immediately to remediate this vulnerability. Amazon has released patched versions for all supported platforms with direct download links: Windows users should install AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux users should deploy the RPM package from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS ARM users should install https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg, and macOS Intel users should use https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg. Comprehensive release notes are available at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html. No workarounds are documented; upgrading to version 2.1.0.0 is the only effective remediation per AWS security bulletin 2026-013. Organizations should prioritize upgrades for systems processing queries from untrusted or external data sources.
More in Amazon Athena Odbc Driver
View allBrowser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unau
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to tr
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary cod
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated l
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18853