CVE-2026-5190 | THREATINT

Description

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.

PUBLISHED Reserved 2026-03-30 | Published 2026-03-31 | Updated 2026-04-01 | Assigner AMZN

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

HIGH: 7.7CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-787: Out-of-bounds Write

Product status

Default status

unaffected

0.6.0

unaffected

References

aws.amazon.com/security/security-bulletins/2026-011-aws/ vendor-advisory

github.com/...stream/security/advisories/GHSA-xvjw-fjq5-68hf third-party-advisory

github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0 patch

cve.org (CVE-2026-5190)

nvd.nist.gov (CVE-2026-5190)

Download JSON