Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages.
To remediate this issue, users should upgrade to version 0.6.0 or later.
AnalysisAI
Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.
Technical ContextAI
The aws-c-event-stream library (CPE: cpe:2.3:a:aws:aws-c-event-stream) is part of the AWS Common Runtime, providing event-stream protocol encoding and decoding capabilities used by AWS SDKs and client applications. This vulnerability manifests as CWE-787 (Out-of-bounds Write) in the streaming decoder component, which processes incoming event-stream formatted messages. When parsing crafted event-stream data, the decoder writes beyond allocated memory boundaries, corrupting adjacent memory regions. This memory safety violation occurs during the deserialization phase before validation completes, allowing attackers who control a server endpoint to inject malicious payloads into the event stream. The library is commonly used in client-side AWS SDK implementations across multiple programming languages that interface with AWS services using event-stream protocols like S3 Select, Kinesis, and Transcribe Streaming.
RemediationAI
Vendor-released patch: Upgrade aws-c-event-stream to version 0.6.0 or later, which contains the fix for the out-of-bounds write vulnerability. The patched release is available at https://github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0. Organizations using AWS SDKs should update to SDK versions that incorporate aws-c-event-stream 0.6.0 or later by checking SDK release notes and dependency versions. For applications with custom builds of AWS Common Runtime components, rebuild with the updated library version and redeploy affected client applications. As an interim mitigation if immediate patching is not feasible, restrict client applications to communicate only with trusted AWS service endpoints and avoid processing event-streams from third-party or unverified servers. Network segmentation and endpoint verification can reduce attack surface by ensuring clients only connect to known-good AWS infrastructure. Refer to AWS security bulletin https://aws.amazon.com/security/security-bulletins/2026-011-aws/ for additional guidance and affected SDK version matrices. No workarounds fully eliminate the vulnerability; upgrading to 0.6.0+ is the definitive remediation.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17575