CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http
🔗 CVE IDs covered (1)
📋 Description
Bulletin ID: 2026-043-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/12/2026 11:45 AM PDT
Description:
AWS Common Runtime aws-c-http is a HTTP client library used by AWS SDKs for handling http requests to AWS services. We identified CVE-2026-12043, an issue where improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames.
Impacted versions: aws-c-http >= 0.4.22 AND
Exposed in following sdk versions: - aws-sdk-cpp >= 1.11.41, - aws-sdk-java-v2 >= 2.44.27,
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.