Skip to main content

Suse CVE-2026-5190

| EUVDEUVD-2026-17575 HIGH
Out-of-bounds Write (CWE-787)
2026-03-31 AMZN
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 31, 2026 - 17:45 euvd
EUVD-2026-17575
Analysis Generated
Mar 31, 2026 - 17:45 vuln.today
Patch released
Mar 31, 2026 - 17:45 nvd
Patch available
CVE Published
Mar 31, 2026 - 17:05 nvd
HIGH 7.7

DescriptionCVE.org

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages.

To remediate this issue, users should upgrade to version 0.6.0 or later.

AnalysisAI

Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.

Technical ContextAI

The aws-c-event-stream library (CPE: cpe:2.3:a:aws:aws-c-event-stream) is part of the AWS Common Runtime, providing event-stream protocol encoding and decoding capabilities used by AWS SDKs and client applications. This vulnerability manifests as CWE-787 (Out-of-bounds Write) in the streaming decoder component, which processes incoming event-stream formatted messages. When parsing crafted event-stream data, the decoder writes beyond allocated memory boundaries, corrupting adjacent memory regions. This memory safety violation occurs during the deserialization phase before validation completes, allowing attackers who control a server endpoint to inject malicious payloads into the event stream. The library is commonly used in client-side AWS SDK implementations across multiple programming languages that interface with AWS services using event-stream protocols like S3 Select, Kinesis, and Transcribe Streaming.

RemediationAI

Vendor-released patch: Upgrade aws-c-event-stream to version 0.6.0 or later, which contains the fix for the out-of-bounds write vulnerability. The patched release is available at https://github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0. Organizations using AWS SDKs should update to SDK versions that incorporate aws-c-event-stream 0.6.0 or later by checking SDK release notes and dependency versions. For applications with custom builds of AWS Common Runtime components, rebuild with the updated library version and redeploy affected client applications. As an interim mitigation if immediate patching is not feasible, restrict client applications to communicate only with trusted AWS service endpoints and avoid processing event-streams from third-party or unverified servers. Network segmentation and endpoint verification can reduce attack surface by ensuring clients only connect to known-good AWS infrastructure. Refer to AWS security bulletin https://aws.amazon.com/security/security-bulletins/2026-011-aws/ for additional guidance and affected SDK version matrices. No workarounds fully eliminate the vulnerability; upgrading to 0.6.0+ is the definitive remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-5190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy