Bulletin ID: 2026-011-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 03/31/2026 10:15 AM PST

Description:

AWS Common Runtime library is used by several AWS SDKs to communicate with event-stream services (Ex. Kinesis, Transcribe). We identified CVE-2026-5190. AWS Common Runtime event-stream decoder component before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages.

Impacted versions:

• aaws-c-event-stream < 0.6.0and the following higher level libraries that expose event-stream functionality
• aws-iot-device-sdk-cpp-v2 < 1.42.1
• aws-iot-device-sdk-java-v2 < 1.30.1
• aws-iot-device-sdk-python-v2 < 1.28.2
• aws-iot-device-sdk-js-v2 < 1.25.1
• aws-sdk-swift < 1.6.70
• aws-sdk-cpp < 1.11.764

Resolution:

This issue has been addressed in aws-c-event-stream version 0.6.0, aws-iot-device-sdk-cpp-v2 version 1.42.1, aws-iot-device-sdk-java-v2 version 1.30.1, aws-iot-device-sdk-python-v2 version 1.28.2, aws-iot-device-sdk-js-v2 version 1.25.1, aws-sdk-swift 1.6.70, and aws-sdk-cpp version 1.11.764.

We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

The issue can only occur when client communicates using event-stream protocol with a third party operating a server. To avoid the issue, ensure that the server being communicated with is trusted. AWS servers would not trigger this issue.

Reference:

• CVE-2026-5190
• GHSA-xvjw-fjq5-68hf

We would like to thank 1seal.org for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.