CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-5190

highcovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-011-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/31 10:15 AM PDT Description: AWS Common Runtime library is used by several AWS SDKs to communicate with event-stream services (Ex. Kinesis, Transcribe). We identified CVE-2026-5190. AWS Common Runtime event-stream decoder component before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. Impacted versions: - aws-c-event-stream < 0.6.0and the following higher level libraries that expose event-stream functionality - aws-iot-device-sdk-cpp-v2 < 1.42.1 - aws-iot-device-sdk-java-v2 < 1.30.1 - aws-iot-device-sdk-python-v2 < 1.28.2 - aws-iot-device-sdk-js-v2 < 1.25.1 - aws-sdk-swift < 1.6.70 - aws-sdk-cpp < 1.11.764 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
A stack buffer overflow in the event-stream decoder may allow a third party to cause memory corruption leading to arbitrary code execution.
Who is affected
Client applications using AWS Common Runtime versions before 0.6.0.
Urgency
Remediation is high priority due to the potential for arbitrary code execution.
Action
Upgrade to AWS Common Runtime version 0.6.0 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-5190

Get an email if CVE-2026-5190 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-5190

CVE.org record

Embed the live status

CVE-2026-5190 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-5190 status](https://www.csirts.com/badge/CVE-2026-5190)](https://www.csirts.com/cve/CVE-2026-5190)