Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations.
To remediate this issue, users should upgrade to version 2.1.0.0.
AnalysisAI
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to trigger denial of service through maliciously crafted input that overwhelms parsing logic. CVSS 7.5 (High) reflects network-accessible attack vector with low complexity and no prerequisites. EPSS data not provided, but no public exploit or CISA KEV listing identified at time of analysis. Amazon has released patches for Windows, Linux, and macOS platforms.
Technical ContextAI
The vulnerability resides in the parsing components of the Amazon Athena ODBC driver, which provides database connectivity for SQL queries against AWS Athena. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates missing resource constraints during input processing operations. ODBC drivers parse connection strings, SQL statements, and result sets-any of these could be attack vectors if the driver fails to implement bounds checking, memory limits, or rate throttling during parsing. The affected component is cpe:2.3:a:amazon:amazon_athena_odbc_driver versions before 2.1.0.0, spanning Windows, Linux, and macOS platforms. Without proper resource governance, attackers can submit specially crafted ODBC requests that cause unbounded memory allocation, CPU consumption, or connection exhaustion, rendering the driver or dependent applications unresponsive.
RemediationAI
Upgrade to Amazon Athena ODBC driver version 2.1.0.0 immediately. Amazon provides platform-specific installers: Windows users should deploy AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux administrators should install AmazonAthenaODBC-2.1.0.0.rpm from the Linux directory, and macOS users should use either AmazonAthenaODBC-2.1.0.0_arm.pkg (Apple Silicon) or AmazonAthenaODBC-2.1.0.0_x86.pkg (Intel processors). Consult AWS security bulletin 2026-013-aws at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ for additional deployment guidance and driver release notes at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html. No workarounds are documented; direct upgrade is the recommended mitigation. After installation, verify the driver version reports 2.1.0.0 or later through ODBC administrator tools or application connection diagnostics.
More in Amazon Athena Odbc Driver
View allBrowser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unau
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary cod
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated l
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18859