CVE-2026-35559 - Vulnerability Details

- Out-of-bounds write in query processing components in Amazon Athena ODBC driver

Description

Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations.

To remediate this issue, users should upgrade to version 2.1.0.0.

Published: 2026-04-03

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an out‑of‑bounds write in the query processing components of the Amazon Athena ODBC driver before version 2.1.0.0. When the driver receives specially crafted data as part of a query, it may overwrite memory and crash, which results in the driver terminating and disrupting any application that relies on it. The flaw is a buffer overflow (CWE‑787) and does not provide an attacker with code execution or data disclosure.

Affected Systems

The affected product is the Amazon Athena ODBC driver on Windows, macOS, and Linux. Versions earlier than 2.1.0.0 on these operating systems are susceptible, regardless of whether the driver is installed locally or used in a corporate data‑analysis workflow.

Risk and Exploitability

The CVSS base score of 7.1 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a malicious query sent through an ODBC connection that triggers the out‑of‑bounds write, so the threat actor needs to have the ability to submit queries to the driver.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Amazon

Amazon Athena ODBC driver

unaffected

Version	Status	Constraints
`2.1.0.0`	unaffected	—

Configuration 1 [-]

AND

cpe:2.3:a:amazon:athena_odbc:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Amazon

Amazon Athena Odbc Driver

100%

Version	Status	Scheme	Platform
`2.1.0.0`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later on all affected systems.
Verify the installed driver version by querying it or checking the installation directory.
If an immediate upgrade cannot be performed, restrict the use of the affected driver and monitor for abnormal query patterns that might indicate malicious activity.
Consider applying network segmentation or firewall rules to limit exposure of ODBC services to trusted clients.

Generated by OpenCVE AI on April 14, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-013-aws/
https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi

History

Tue, 14 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon athena Odbc Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:amazon:athena_odbc:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Amazon athena Odbc Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon amazon Athena Odbc Driver
Vendors & Products		Amazon Amazon amazon Athena Odbc Driver

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations. To remediate this issue, users should upgrade to version 2.1.0.0.
Title		Out-of-bounds write in query processing components in Amazon Athena ODBC driver
Weaknesses		CWE-787
References		https://aws.amazon.com/security/security-bulletins/2026-013-aws/ https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Amazon Amazon Athena Odbc Driver Athena Odbc

Apple Macos

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-04-03T20:13:29.590Z

Updated: 2026-04-07T14:25:39.392Z

Reserved: 2026-04-03T13:43:36.914Z

Link: CVE-2026-35559

Vulnrichment

Updated: 2026-04-07T14:25:35.439Z

NVD

Status : Analyzed

Published: 2026-04-03T21:17:11.900

Modified: 2026-04-14T16:14:00.203

Link: CVE-2026-35559

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object