NIXPKGS-2026-0915

GitHub issue published on

Permalink CVE-2026-5190

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 week ago
@LeSuisse accepted 1 week ago
@LeSuisse published on GitHub 1 week ago

AWS C Event Stream Streaming Decoder Stack Buffer Overflow

Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, users should upgrade to version 0.6.0 or later.

References

https://aws.amazon.com/security/security-bulletins/2026-011-aws/ vendor-advisory
https://github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq… third-party-advisory
https://github.com/awslabs/aws-c-event-stream/releases/tag/v0.6.0 patch

Affected products

aws-c-event-stream

==0.6.0

Matching in nixpkgs

pkgs.aws-c-event-stream

C99 implementation of the vnd.amazon.eventstream content-type

nixos-unstable 0.5.7
- nixpkgs-unstable 0.5.7
- nixos-unstable-small 0.5.7
nixos-25.11 0.5.7
- nixos-25.11-small 0.5.7
- nixpkgs-25.11-darwin 0.5.7

Package maintainers

@orivej Orivej Desh <orivej@gmx.fr>

Advisory: https://github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq5-68hf

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0915

References

Affected products

Matching in nixpkgs

pkgs.aws-c-event-stream

Package maintainers