Bulletin ID: 2026-043-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/12/2026 11:45 AM PDT

Description:

AWS Common Runtime aws-c-http is a HTTP client library used by AWS SDKs for handling http requests to AWS services. We identified CVE-2026-12043, an issue where improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames.

Impacted versions: aws-c-http >= 0.4.22 AND <= 0.10.15

Exposed in following sdk versions:

• aws-sdk-cpp >= 1.11.41, <= 1.11.814
• aws-sdk-java-v2 >= 2.44.27, <= 2.44.14

Resolution:

This issue has been addressed in aws-c-http version 0.11.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Force HTTP/1.1 connections if available.

References:

• CVE-2026-12043
• GHSA-rmjr-3qpm-vh98

Please email aws-security@amazon.com with any security questions or concerns.