CVE-2026-12043

Vulnerability

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library (used by AWS SDKs) allows a remote HTTP/2 server to trigger memory corruption on a connecting client. Affected versions are aws-c-http >= 0.4.22 and <= 0.10.15 [2]. The vulnerability is reachable when a client processes a crafted sequence of HTTP/2 HEADERS frames that manipulate HPACK dynamic table size updates [1][2].

Exploitation

An attacker must operate a malicious HTTP/2 server that the client connects to; no prior authentication is required. The attacker sends a crafted sequence of HTTP/2 HEADERS frames that exploit the improper handling of HPACK dynamic table size updates, causing memory corruption on the client [2].

Impact

Successful exploitation can lead to arbitrary code execution on the client application, running with the privileges of the client process. This could result in full compromise of the client system [2].

Mitigation

The issue is fixed in aws-c-http version 0.11.0 [1]. Users should upgrade to this version. As a workaround, force HTTP/1.1 connections if available. Affected SDK versions include aws-sdk-cpp >= 1.11.41 and <= 1.11.814, and aws-sdk-java-v2 >= 2.44.27 and <= 2.44.14 [2].