CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver

unknownCVE-2026-6437
Bulletin ID: 2026-016-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/17 11:15 AM PDT Description: The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. We identified CVE-2026-6437, where an actor with PersistentVolume creation privileges can inject arbitrary mount options via two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute. In both cases, appending comma-separated values causes the mount utility to parse them as separate mount options. No AWS service is affected. Impacted versions: EFS CSI Driver <&equal; v3.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
An actor can inject arbitrary mount options via unsanitized fields.
Who is affected
Users with PersistentVolume creation privileges in Kubernetes clusters using the EFS CSI Driver.
Urgency
Remediation is important to prevent unauthorized mount option injection.
Action
Update to a version of the EFS CSI Driver above v3.0.0.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch EFS CSI Driver

Get an email when a new EFS CSI Driver advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-016-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-6437coverage & exploitation statusNVD · CVE.org

Recent advisories for - Mount Option

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from AWS Security Bulletins