2026-043-AWS

CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http

Published
June 12, 2026
Last Modified

🔗 CVE IDs covered (1)

📋 Description

Bulletin ID: 2026-043-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/12/2026 11:45 AM PDT Description: AWS Common Runtime aws-c-http is a HTTP client library used by AWS SDKs for handling http requests to AWS services. We identified CVE-2026-12043, an issue where improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. Impacted versions: aws-c-http >= 0.4.22 AND
Exposed in following sdk versions: - aws-sdk-cpp >= 1.11.41, - aws-sdk-java-v2 >= 2.44.27,
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)