CVE-2026-35562
Published: 03 April 2026
Summary
CVE-2026-35562 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Amazon Athena Odbc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires upgrading the Amazon Athena ODBC driver to version 2.1.0.0, directly eliminating the unbounded resource allocation during parsing.
Resource availability protections enforce limits on resource allocation to parsing processes, preventing excessive consumption from crafted inputs.
Information input validation scrutinizes crafted inputs to the ODBC driver's parsing components, blocking those that could trigger unbounded resource use.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables crafted input to trigger unbounded resource allocation and exhaustion in the ODBC driver, directly facilitating Application Exhaustion Flood for DoS.
NVD Description
Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing…
more
operations. To remediate this issue, users should upgrade to version 2.1.0.0.
Deeper analysisAI
CVE-2026-35562 affects the parsing components in the Amazon Athena ODBC driver versions before 2.1.0.0, where allocation of resources without limits (CWE-770) enables excessive resource consumption. Published on 2026-04-03, the vulnerability arises during the driver's parsing operations when processing crafted input, potentially leading to denial of service.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the flaw is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. A threat actor can deliver specially crafted input to applications using the vulnerable driver, triggering unbounded resource allocation that causes high-impact availability disruption through resource exhaustion.
AWS advisories recommend upgrading to Amazon Athena ODBC driver version 2.1.0.0 to remediate the issue, as detailed in the security bulletin at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ and release notes at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html. Patched binaries are available for download, including Linux RPM at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS Intel PKG at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg, and macOS ARM PKG at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg.
Details
- CWE(s)