Description
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames.



To remediate this issue, users should upgrade to aws-c-http version 0.11.0.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library allows memory corruption when a client receives a crafted sequence of HTTP/2 HEADERS frames. This double‑free flaw can lead to arbitrary code execution on the client, compromising confidentiality, integrity, and availability. The weakness is identified as CWE‑415.

Affected Systems

AWS provides the aws-c-http library used by applications that implement HTTP/2. Versions prior to 0.11.0 include the unsafe handling of HPACK table size updates. Anyone integrating an older release of aws-c-http into a client application is vulnerable; the vulnerability is triggered by a server that supplies malicious HTTP/2 frames.

Risk and Exploitability

The CVSS score of 8.7 marks the flaw as High severity. Because the exploit requires only a malicious server communicating over HTTP/2, it is remotely exploitable without local privileges. The exploit probability cannot be quantified via EPSS as it is not available, and the vulnerability is not listed in CISA KEV. The risk is therefore significant for any client that accepts connections from potentially untrusted servers, and the likelihood of exploitation is high in environments where such connections are common.

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the aws-c-http library to version 0.11.0 or later.
  • Restrict client connections to trusted servers only, implementing certificate validation and, if possible, mutual TLS.
  • If upgrade is not possible immediately, isolate the vulnerable library behind a proxy that sanitizes HTTP/2 HEADERS frames or disable HPACK dynamic table updates if the library configuration allows it.
  • Keep the underlying TLS and HTTP frameworks patched by applying vendor updates to mitigate any ancillary weaknesses.

Generated by OpenCVE AI on June 12, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.
Title Heap double-free in AWS Common Runtime aws-c-http
First Time appeared Aws
Aws aws-c-http
Weaknesses CWE-415
CPEs cpe:2.3:a:aws:aws-c-http:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws aws-c-http
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Aws-c-http
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-12T18:49:54.683Z

Reserved: 2026-06-11T19:50:48.263Z

Link: CVE-2026-12043

cve-icon Vulnrichment

Updated: 2026-06-12T18:49:51.582Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:26.420

Modified: 2026-06-12T20:16:44.690

Link: CVE-2026-12043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:14Z

Weaknesses