CVE-2026-5190
Published: 31 March 2026
Summary
CVE-2026-5190 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Amazon (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5190 is an out-of-bounds write vulnerability (CWE-787) in the streaming decoder component of the aws-c-event-stream library prior to version 0.6.0. It affects client applications that process event-stream messages using this library. Published on 2026-03-31, the issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A third party operating a server can exploit the vulnerability by sending crafted event-stream messages to a client application. Exploitation requires network access, high attack complexity, and user interaction on the client side with no privileges needed from the attacker. Successful exploitation can cause memory corruption, potentially leading to arbitrary code execution on the affected client.
AWS and GitHub advisories recommend upgrading to aws-c-event-stream version 0.6.0 or later to remediate the issue. Key references include the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-011-aws/, the release notes at https://github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0, and the GitHub security advisory at https://github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq5-68hf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17575
Vulnerability details
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this…
more
issue, users should upgrade to version 0.6.0 or later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds write in the client-side streaming decoder allows a malicious server to send crafted event-stream messages, directly enabling exploitation for arbitrary code execution on the client application (T1203: Exploitation for Client Execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identifying, reporting, and applying flaw remediation such as upgrading the vulnerable aws-c-event-stream library to version 0.6.0 or later to eliminate the out-of-bounds write vulnerability.
Implements memory protection mechanisms like address space randomization and stack guards that mitigate memory corruption and arbitrary code execution from out-of-bounds writes in the streaming decoder.
Requires validation of event-stream message inputs to detect and reject crafted messages that could trigger the out-of-bounds write in the aws-c-event-stream decoder.