High severity7.5NVD Advisory· Published Mar 31, 2026· Updated Apr 1, 2026

CVE-2026-5190

Description

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages.

To remediate this issue, users should upgrade to version 0.6.0 or later.

Affected products

Awslabs/Aws C Event Streamreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

aws.amazon.com/security/security-bulletins/2026-011-aws/nvd
github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0nvd
github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq5-68hfnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000