Cyber Resilience

CVE-2026-5190

High

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5190 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Amazon (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5190 is an out-of-bounds write vulnerability (CWE-787) in the streaming decoder component of the aws-c-event-stream library prior to version 0.6.0. It affects client applications that process event-stream messages using this library. Published on 2026-03-31, the issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

A third party operating a server can exploit the vulnerability by sending crafted event-stream messages to a client application. Exploitation requires network access, high attack complexity, and user interaction on the client side with no privileges needed from the attacker. Successful exploitation can cause memory corruption, potentially leading to arbitrary code execution on the affected client.

AWS and GitHub advisories recommend upgrading to aws-c-event-stream version 0.6.0 or later to remediate the issue. Key references include the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-011-aws/, the release notes at https://github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0, and the GitHub security advisory at https://github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq5-68hf.

EU & UK References

Vulnerability details

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this…

more

issue, users should upgrade to version 0.6.0 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The out-of-bounds write in the client-side streaming decoder allows a malicious server to send crafted event-stream messages, directly enabling exploitation for arbitrary code execution on the client application (T1203: Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21042Shared CWE-787
CVE-2026-0122Shared CWE-787
CVE-2026-22852Shared CWE-787
CVE-2026-29774Shared CWE-787
CVE-2019-25705Shared CWE-787
CVE-2026-2792Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2016-20043Shared CWE-787
CVE-2018-25251Shared CWE-787
CVE-2019-25629Shared CWE-787

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying, reporting, and applying flaw remediation such as upgrading the vulnerable aws-c-event-stream library to version 0.6.0 or later to eliminate the out-of-bounds write vulnerability.

prevent

Implements memory protection mechanisms like address space randomization and stack guards that mitigate memory corruption and arbitrary code execution from out-of-bounds writes in the streaming decoder.

prevent

Requires validation of event-stream message inputs to detect and reject crafted messages that could trigger the out-of-bounds write in the aws-c-event-stream decoder.

References