CVE-2026-5707 | THREATINT

Description

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-06 | Updated 2026-04-07 | Assigner AMZN

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')

Product status

Default status

unaffected

2025.03 (custom)

affected

References

github.com/aws/res/releases/tag/2026.03 release-notes

github.com/aws/res/issues/151 patch

aws.amazon.com/security/security-bulletins/2026-014-aws/ vendor-advisory

cve.org (CVE-2026-5707)

nvd.nist.gov (CVE-2026-5707)

Download JSON