CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-5190 - AWS C Event Stream Streaming Decoder Stack Buffer Overflow

highCVE-2026-5190
Bulletin ID: 2026-011-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/31 10:15 AM PDT Description: AWS Common Runtime library is used by several AWS SDKs to communicate with event-stream services (Ex. Kinesis, Transcribe). We identified CVE-2026-5190. AWS Common Runtime event-stream decoder component before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. Impacted versions: - aws-c-event-stream < 0.6.0and the following higher level libraries that expose event-stream functionality - aws-iot-device-sdk-cpp-v2 < 1.42.1 - aws-iot-device-sdk-java-v2 < 1.30.1 - aws-iot-device-sdk-python-v2 < 1.28.2 - aws-iot-device-sdk-js-v2 < 1.25.1 - aws-sdk-swift < 1.6.70 - aws-sdk-cpp < 1.11.764 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
A stack buffer overflow in the event-stream decoder may allow a third party to cause memory corruption leading to arbitrary code execution.
Who is affected
Client applications using AWS Common Runtime versions before 0.6.0.
Urgency
Remediation is high priority due to the potential for arbitrary code execution.
Action
Upgrade to AWS Common Runtime version 0.6.0 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch AWS Common Runtime

Get an email when a new AWS Common Runtime advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
high
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-011-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-5190coverage & exploitation statusNVD · CVE.org

Recent advisories for - AWS C

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from AWS Security Bulletins