CVE-2026-5190
Out-of-Bounds Write in aws-c-event-stream Enables Remote Code Execution
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aws | aws-c-event-stream | From 0.6.0 (exc) |
| aws | aws-iot-device-sdk-cpp-v2 | to 1.42.1 (exc) |
| aws | aws-iot-device-sdk-java-v2 | to 1.30.1 (exc) |
| aws | aws-iot-device-sdk-python-v2 | to 1.28.2 (exc) |
| aws | aws-iot-device-sdk-js-v2 | to 1.25.1 (exc) |
| aws | aws-sdk-swift | to 1.6.70 (exc) |
| aws | aws-sdk-cpp | to 1.11.764 (exc) |
| amazon | aws-c-event-stream | From 0.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5190 is a high-severity memory corruption vulnerability in the aws-c-event-stream library, which is part of the AWS Common Runtime. It occurs in the streaming decoder component before version 0.6.0. The flaw happens during the parsing of event-stream headers, where specially crafted messages sent by a third-party server can cause an out-of-bounds write, leading to memory corruption.
This memory corruption can potentially allow an attacker to execute arbitrary code on a client application that processes these malicious event-stream messages.
The vulnerability requires the attacker to control the server communicating with the client, and the client must process the crafted messages. AWS-operated servers are not vulnerable.
The issue was fixed in aws-c-event-stream version 0.6.0 by correcting the handling of buffer boundaries during decoding operations to prevent the overflow.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-5190 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
If you use a client application that relies on vulnerable versions of aws-c-event-stream or dependent AWS SDKs, this vulnerability can allow a malicious third-party server to cause memory corruption in your client.
This memory corruption can lead to arbitrary code execution on your client application, potentially compromising the confidentiality, integrity, and availability of your system.
Exploitation requires the attacker to control the server sending event-stream messages and the client to process these messages, but no privileges are required on the client side.
To mitigate the risk, you should upgrade to aws-c-event-stream version 0.6.0 or later and update any dependent SDKs accordingly. Avoid connecting to untrusted servers using the event-stream protocol.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5190 vulnerability, users should upgrade aws-c-event-stream to version 0.6.0 or later.
Additionally, upgrade any higher-level AWS SDKs that depend on aws-c-event-stream to the fixed versions or later, including:
- aws-iot-device-sdk-cpp-v2 to version 1.42.1 or later
- aws-iot-device-sdk-java-v2 to version 1.30.1 or later
- aws-iot-device-sdk-python-v2 to version 1.28.2 or later
- aws-iot-device-sdk-js-v2 to version 1.25.1 or later
- aws-sdk-swift to version 1.6.70 or later
- aws-sdk-cpp to version 1.11.764 or later
As a workaround, avoid connecting to untrusted third-party servers using the event-stream protocol, since the vulnerability requires a malicious server to trigger.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided in the available resources about detection methods or commands to identify this vulnerability on a network or system.