Cyber Resilience

CVE-2026-35562

HighDDoS

Published: 03 April 2026

Published
03 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35562 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Amazon Athena Odbc. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35562 affects the parsing components in the Amazon Athena ODBC driver versions before 2.1.0.0, where allocation of resources without limits (CWE-770) enables excessive resource consumption. Published on 2026-04-03, the vulnerability arises during the driver's parsing operations when processing crafted input, potentially leading to denial of service.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the flaw is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. A threat actor can deliver specially crafted input to applications using the vulnerable driver, triggering unbounded resource allocation that causes high-impact availability disruption through resource exhaustion.

AWS advisories recommend upgrading to Amazon Athena ODBC driver version 2.1.0.0 to remediate the issue, as detailed in the security bulletin at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ and release notes at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html. Patched binaries are available for download, including Linux RPM at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS Intel PKG at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg, and macOS ARM PKG at https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg.

EU & UK References

Vulnerability details

Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing…

more

operations. To remediate this issue, users should upgrade to version 2.1.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Vulnerability enables crafted input to trigger unbounded resource allocation and exhaustion in the ODBC driver, directly facilitating Application Exhaustion Flood for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35561Same product: Amazon Athena Odbc
CVE-2026-35558Same product: Amazon Athena Odbc
CVE-2026-35560Same product: Amazon Athena Odbc
CVE-2026-42899Same product: Apple Macos
CVE-2026-21218Same product: Apple Macos
CVE-2026-26171Same product: Apple Macos
CVE-2026-32178Same product: Apple Macos
CVE-2026-26127Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-10018Same product: Apple Macos

Affected Assets

amazon
athena odbc
≤ 2.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires upgrading the Amazon Athena ODBC driver to version 2.1.0.0, directly eliminating the unbounded resource allocation during parsing.

prevent

Resource availability protections enforce limits on resource allocation to parsing processes, preventing excessive consumption from crafted inputs.

prevent

Information input validation scrutinizes crafted inputs to the ODBC driver's parsing components, blocking those that could trigger unbounded resource use.

References