CVE-2026-12043
Received Received - Intake
Memory Corruption in AWS Common Runtime aws-c-http Library

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: AMZN

Description
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-12043
EUVD
EUVD-2026-36541
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
amazon aws_c_http 0.11.0
amazon aws_c_http From 0.4.22 (inc) to 0.11.0 (exc)
amazon aws_sdk_for_c++ 1.11.41
amazon aws_sdk_for_c++ From 1.11.41 (inc) to 1.11.814 (inc)
amazon aws_sdk_for_java_v2 2.44.27
amazon aws_sdk_for_java_v2 From 2.44.27 (inc) to 2.44.14 (exc)
aws aws-c-http From 0.4.22 (inc) to 0.11.0 (exc)
aws aws-c-http From 0.4.22 (inc) to 0.10.15 (inc)
aws aws-c-http 0.11.0
aws aws-sdk-cpp From 1.11.41 (inc) to 1.11.814 (inc)
aws aws-sdk-cpp 1.11.814
aws aws-sdk-java-v2 From 2.44.27 (inc) to 2.44.14 (exc)
aws aws-sdk-java-v2 2.44.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12043 is a vulnerability in the AWS Common Runtime aws-c-http library related to improper handling of HPACK dynamic table size updates in HTTP/2. A remote threat actor operating a server can send specially crafted HTTP/2 HEADERS frames that cause memory corruption on a connecting client application.

This memory corruption can potentially lead to arbitrary code execution on the client side.

Impact Analysis

If you use the affected versions of the aws-c-http library (versions 0.4.22 through 0.10.15) or AWS SDKs that include these versions, a remote server you connect to could exploit this vulnerability by sending crafted HTTP/2 HEADERS frames.

This exploitation could cause memory corruption in your client application, potentially allowing the attacker to execute arbitrary code on your system.

This could lead to unauthorized actions, data compromise, or system instability.

Detection Guidance

This vulnerability involves improper handling of HPACK dynamic table size updates in HTTP/2 HEADERS frames within the aws-c-http library. Detection would involve identifying usage of vulnerable aws-c-http versions (0.4.22 through 0.10.15) or affected AWS SDK versions in your environment.

You can check the version of the aws-c-http library or AWS SDKs in use on your system or within your applications to detect if they are vulnerable.

  • On Linux systems, use commands like `ldd` on your application binaries to identify linked aws-c-http library versions.
  • For AWS SDKs, check the version numbers in your project dependencies or package managers (e.g., `mvn dependency:list` for Java, or inspecting package.json or build files).
  • Monitor network traffic for suspicious or crafted HTTP/2 HEADERS frames from remote servers, which might require specialized HTTP/2 inspection tools or network analyzers.
Mitigation Strategies

The primary mitigation is to upgrade the aws-c-http library to version 0.11.0 or later, which contains the fix for this vulnerability.

If upgrading immediately is not possible, a temporary workaround is to force HTTP/1.1 connections instead of HTTP/2, if your environment and applications support it.

Compliance Impact

CVE-2026-12043 is a high severity vulnerability that can lead to arbitrary code execution, impacting the confidentiality, integrity, and availability of affected systems.

Such impacts could potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly describe how this vulnerability directly affects compliance with these standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart