Description
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages.

To remediate this issue, users should upgrade to version 0.6.0 or later.
Published: 2026-03-31
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write was discovered in the streaming decoder component of the aws‑c‑event‑stream library in versions older than 0.6.0. The flaw can be triggered by specially crafted event‑stream messages, allowing a threat actor who controls a server to corrupt the memory of any client application that processes those messages. The resulting memory corruption can lead to arbitrary code execution, exposing the client to compromise of confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the aws‑c‑event‑stream library from AWS, impacting all releases before 0.6.0. Any client application or service that consumes event‑stream data from external sources and links against this library is at risk, including integrations with AWS EventBridge, custom event brokers, or any service that processes event‑stream traffic on a machine running a vulnerable library.

Risk and Exploitability

The formal CVSS rating of 7.7 signals a high severity level, and the issue is not listed in the CISA known exploited vulnerabilities catalog. Because the flaw is triggered by data received from a remote server, the attack vector is remote: an adversary that can send malicious event‑stream payloads can exploit the buffer overflow. No exploit probability score is publicly available, but the potential for arbitrary code execution makes the risk significant for systems exposed to untrusted event streams.

Generated by OpenCVE AI on March 31, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aws‑c‑event‑stream to version 0.6.0 or newer

Generated by OpenCVE AI on March 31, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws aws-c-event-stream
Vendors & Products Aws
Aws aws-c-event-stream

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.
Title AWS C Event Stream Streaming Decoder Stack Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Aws-c-event-stream
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-01T03:55:47.631Z

Reserved: 2026-03-30T20:05:41.435Z

Link: CVE-2026-5190

cve-icon Vulnrichment

Updated: 2026-03-31T17:48:08.997Z

cve-icon NVD

Status : Received

Published: 2026-03-31T18:16:59.080

Modified: 2026-03-31T18:16:59.080

Link: CVE-2026-5190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:46Z

Weaknesses