Aws Amazon Aws

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Amazon Aws.

Recent Amazon Aws Security Advisories

Advisory Title Published
2026-07-01 CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin July 1, 2026
2026-07-01 CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib July 1, 2026
2026-07-01 CVE-2026-13769 – Insecure file permissions in AWS CLI July 1, 2026
2026-06-29 CVE-2026-13762 and CVE-2026-13763 - Issue with HTTP/2 multi-frame request body inspection in AWS WAF June 29, 2026
2026-06-23 CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins June 23, 2026
2026-06-19 Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262 June 19, 2026
2026-06-17 CVE-2026-12530 - Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages() June 17, 2026
2026-06-15 CVE-2026-11931 - Insecure Permissions on Authentication Token Cache File in Kiro IDE June 15, 2026
2026-06-12 CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http June 12, 2026
2026-06-10 CVE-2026-10740 - Excessive memory allocation in s2n-quic June 10, 2026

By the Year

In 2026 there have been 72 vulnerabilities in Amazon Aws with an average score of 7.4 out of ten. Last year, in 2025 Aws had 46 security vulnerabilities published. That is, 26 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.67.




Year Vulnerabilities Average Score
2026 72 7.35
2025 46 6.68
2024 21 6.82
2023 9 7.19
2022 9 8.00
2021 4 8.83
2020 4 5.68

It may take a day or so for new Aws vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Amazon Aws Security Vulnerabilities

AWS Advanced JDBC Wrapper 3.3-4.0 RemoteQueryCachePlugin Deserialization RCE
CVE-2026-14265 7.5 - High - July 01, 2026

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

Marshaling, Unmarshaling

OS Command Injection in aws-cdk-lib NodejsFunction Docker Bundling (v2.260.0 Fix)
CVE-2026-13760 7.3 - High - July 01, 2026

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade to v2.260.0.

Shell injection

AWS CLI <=1.44.77 / <=2.34.28: Overly Permissive File Permissions Expose Credentials
CVE-2026-13769 5.5 - Medium - July 01, 2026

Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register). To remediate this issue, users should upgrade to AWS CLI 1.44.78 (v1) or 2.34.29 (v2) or later.

Incorrect Permission Assignment for Critical Resource

containerd CRI pathtraversal bug pre2.3.2/2.2.5/2.1.9
CVE-2026-53489 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Symlink following

containerd CDI Annotation Injection via Untrusted Checkpoints (pre-2.3.2)
CVE-2026-53492 - July 01, 2026

containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Improper Input Validation

containerd CRI Checkpoint Image Cache Poisoning (v<2.3.2,2.2.5,2.1.9)
CVE-2026-50195 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.

Insufficient Verification of Data Authenticity

containerd DoS via faulty image load causing OOM kill (v<1.7.33,2.0.10,2.1.9)
CVE-2026-47262 - July 01, 2026

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.

Resource Exhaustion

CRI Label Injection in containerd 1.7.x/2.0-2.3 (1.7.33/2.3.2)
CVE-2026-53488 - July 01, 2026

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.

Improper Input Validation

AWS ALB HTTP/2 WAF Bypass via Fragmented Body Inspection
CVE-2026-13763 9.8 - Critical - June 29, 2026

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

HTTP Request Smuggling

CloudFront AWS WAF HTTP/2 Body Inspection Bypass
CVE-2026-13762 9.8 - Critical - June 29, 2026

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.

HTTP Request Smuggling

AWS Language Server v1.69.0 Symlink Validation Flaw Enables Arbitrary File Write
CVE-2026-12958 7.8 - High - June 23, 2026

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.

Symlink following

CVE-2026-12957: Code Exec in AWS Language Servers <1.65.0 via Malicious Workspace
CVE-2026-12957 7.8 - High - June 23, 2026

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.

Incorrect Permission Assignment for Critical Resource

AWS Bedrock AgentCore SDK 1.1.3-1.6.1 Remote Cmd via install_packages
CVE-2026-12530 7.3 - High - June 17, 2026

Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1.

Argument Injection

Kiro IDE 0.11.133 fixes insecure token cache permissions (CVE-2026-11931)
CVE-2026-11931 5.5 - Medium - June 15, 2026

Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating.

Incorrect Default Permissions

AWS Common Runtime aws-c-http 0.11.0: HPACK CVE-2026-12043
CVE-2026-12043 8.8 - High - June 12, 2026

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.

Double-free

s2n-quic 1.8.2+ Unbounded CRYPTO frame reassembler DoS
CVE-2026-10740 5.3 - Medium - June 10, 2026

Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.

Allocation of Resources Without Limits or Throttling

OS Command Injection NodejsFunction bundling in aws-cdk-lib <2.245.0
CVE-2026-11417 7.3 - High - June 10, 2026

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Shell injection

CVE-2026-11393: AgentCore CLI v<0.14.2 RCE via triplequote code gen
CVE-2026-11393 9 - Critical - June 08, 2026

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.

Code Injection

AWS Adv Go Wrapper GDBP Untrusted Search Path Escalation
CVE-2026-11401 8 - High - June 05, 2026

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26

Untrusted Path

AWS Advanced JDBC Wrapper 4.0.0 GlobalDatabasePlugin Search Path Escalation
CVE-2026-11400 8 - High - June 05, 2026

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1.

Untrusted Path

Graph Explorer v<3.0.1 HTTP Fallback Enables HTTPS Interception
CVE-2026-10584 5.9 - Medium - June 02, 2026

Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.

Cleartext Transmission of Sensitive Information

Amazon Kiro IDE <0.11 File Write CA Remote Exec
CVE-2026-10591 8.8 - High - June 02, 2026

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

Incorrect Permission Assignment for Critical Resource

Linux kernel: skb sharedfrag flag mispropagated in fragtransfer helpers
CVE-2026-46300 7.8 - High - May 23, 2026

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Write-what-where Condition

Amazon Braket SDK 1.117.0 Fix: Insecure Deserialization (Remote Exec)
CVE-2026-9291 7.1 - High - May 22, 2026

Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later.

Marshaling, Unmarshaling

Kiro CLI <1.28.0: Missing input validation allows arbitrary tool exec via stdin
CVE-2026-9255 7.8 - High - May 22, 2026

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later.

AuthZ

Amazon MQ rabbitmq-aws <0.2.1: Debug ARN allows remote file read
CVE-2026-9133 7.7 - High - May 20, 2026

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.

Active Debug Code

Amazon Redshift Python Driver eval() Vulnerability in vector_in() before 2.1.14
CVE-2026-8838 9.8 - Critical - May 18, 2026

Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.

Code Injection

coreMQTT v5.0.1 DOS via Missing Bounds Validation in MQTT v5.0 Prop Parser
CVE-2026-8686 7.5 - High - May 15, 2026

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users should upgrade to v5.0.1.

Out-of-bounds Read

Amazon SageMaker SDK v2/v3 Remote Code Exec via Unverified Triton Inference
CVE-2026-8597 7.2 - High - May 14, 2026

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK.

Improper Validation of Integrity Check Value

Cleartext Sensitive Info in SageMaker Python SDK <v2.257.2/v3<3.8.0
CVE-2026-8596 7.2 - High - May 14, 2026

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK.

Cleartext Storage of Sensitive Information

Arbitrary Class Execution via URL in Amazon Redshift JDBC Driver <2.2.2
CVE-2026-8178 8.1 - High - May 08, 2026

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.

Reflection Injection

Linux Kernel ESP: Prevent In-Place Decrypt on Shared skb Frags
CVE-2026-43284 7.8 - High - May 08, 2026

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

Write-what-where Condition

Privilege Escalation in Amazon WorkSpaces Skylight WS Config (before 2.6.2034)
CVE-2026-7791 7.8 - High - May 04, 2026

Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.

TOCTTOU

Amazon ECS Agent FSx WinFS OS Command Injection <v1.103.0
CVE-2026-7461 7.2 - High - April 30, 2026

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.

Shell injection

FreeRTOS-Plus-TCP <4.2.6, <4.4.1 IPv6 RA Prefix Length Overflow
CVE-2026-7426 8.1 - High - April 29, 2026

Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.

Memory Corruption

FreeRTOS-Plus-TCP <= V4.4.1: IPv6 RA Prefix truncation DoS
CVE-2026-7425 6.5 - Medium - April 29, 2026

Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size. To mitigate this issue, users should upgrade to the fixed version when available.

Out-of-bounds Read

FreeRTOS-Plus-TCP DHCPv6 Integer Underflow (V4.4.1/4.2.6)
CVE-2026-7424 8.1 - High - April 29, 2026

Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet. The issue is present whenever DHCPv6 is enabled. To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.

Integer underflow

Integer Underflow in FreeRTOS-Plus-TCP ICMP Handlers V4.4.1/V4.2.6
CVE-2026-7423 5.3 - Medium - April 29, 2026

Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.

Integer underflow

FreeRTOS-Plus-TCP MAC Spoof Loophole before v4.4.1
CVE-2026-7422 6.5 - Medium - April 29, 2026

Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available.

Authentication Bypass by Spoofing

qnabot-on-aws <7.3 CExec via static-eval Exploit (CVE-2026-7191)
CVE-2026-7191 7.2 - High - April 27, 2026

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.

Code Injection

AWS Tough v<0.22.0 Path Traversal via Absolute Target Names
CVE-2026-6968 5.9 - Medium - April 24, 2026

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Directory traversal

tough <0.22.0: Missing Exp/Hash/Len in Delegated Metadata (CVE-2026-6967)
CVE-2026-6967 5.9 - Medium - April 24, 2026

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Insufficient Verification of Data Authenticity

Signature Verification Flaw in AWS Tough <0.22.0 (go)
CVE-2026-6966 5.3 - Medium - April 24, 2026

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

Improper Verification of Cryptographic Signature

AWS Ops Wheel Cognito User Pool Attribute Escalation via UpdateUserAttributes
CVE-2026-6912 8.8 - High - April 24, 2026

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Mass Assignment

AWS Ops Wheel JWT Signature Bypass (CVE-2026-6911)
CVE-2026-6911 9.8 - Critical - April 24, 2026

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Improper Verification of Cryptographic Signature

CVE-2026-31431: Linux Kernel Algif_aead In-Place Operation Vulnerability Reverted
CVE-2026-31431 7.8 - High - April 22, 2026

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Incorrect Resource Transfer Between Spheres

AWS Encryption SDK Python - Crypto Downgrade in Cache Pre-3.3.1/4.0.5
CVE-2026-6550 4.7 - Medium - April 20, 2026

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Algorithm Downgrade

AWS EFS CSI Driver <v3.0.1: Mount Option Injection via Argument Delimiter
CVE-2026-6437 6.5 - Medium - April 17, 2026

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection. To remediate this issue, users should upgrade to version v3.0.1

Argument Injection

Out-of-Bounds Write in virtio PCI Transport (Firecracker <=1.15.0)
CVE-2026-5747 7.5 - High - April 07, 2026

An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. To remediate this, users should upgrade to Firecracker 1.14.4 or 1.15.1 and later.

Memory Corruption

RES FileBrowser API Unsanitized Input (pre-2026.03) Enables RCE
CVE-2026-5709 8.8 - High - April 06, 2026

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Shell injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Amazon Aws or by Amazon? Click the Watch button to subscribe.

Amazon
Vendor

Amazon Aws
Product

subscribe