Out-of-Bounds Write Vulnerability in AWS C Event Stream by Amazon
CVE-2026-5190

7.7HIGH

Key Information:

Vendor

Aws

Status
Aws-c-event-stream
Vendor
CVE Published:
31 March 2026

What is CVE-2026-5190?

An out-of-bounds write vulnerability exists in the streaming decoder component of AWS C Event Stream prior to version 0.6.0. This flaw could allow an attacker to manipulate server messages, potentially leading to memory corruption and enabling arbitrary code execution within client applications that process specially crafted event-stream messages. To mitigate this risk, it is recommended that users upgrade to version 0.6.0 or later.

Affected Version(s)

aws-c-event-stream 0.6.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/awslabs/aws-c-event-stream/security/ad...
third-party-advisory
https://github.com/awslabs/aws-c-event-stream/releases/ta...
patch

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.