How is CVE-2026-12043 exploited?

Network reachability (required): The attacker must operate a reachable server that the victim client connects to over the network; the vulnerable code path is triggered during an HTTP/2 session initiated by the client. Authentication (not-required): No credentials or account are needed; the attacker only needs to serve a crafted HTTP/2 response to any connecting client. Victim interaction (required): A user or automated process must initiate a connection to the attacker-controlled server, making this a social-engineering or supply-chain-redirect vector. Attack complexity (info): The exploit is reliable and imposes no race-condition or environmental precondition beyond the client initiating an HTTP/2 connection.

What is the impact of CVE-2026-12043?

Arbitrary code executes in the context of the client application process that called into aws-c-http. An attacker with code execution can read any data the client process holds in memory, including in-flight credentials, tokens, and response payloads. The attacker can modify data the process writes, enabling tampering with outbound requests or local state. The client process crashes or is fully taken over, disrupting any service that depends on it.

Back to search

HIGHCVE-2026-12043Published 2026-06-12Modified 2026-06-12CNA AMZN

CVE-2026-12043: Heap double-free in AWS Common Runtime aws-c-http

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap double-free vulnerability exists in the AWS Common Runtime aws-c-http library, affecting versions up to and including 0.10.15. The flaw is reachable over the network without authentication, but requires a user or client application to connect to a server controlled by the attacker; a crafted sequence of HTTP/2 HEADERS frames triggers improper HPACK dynamic table size update handling, corrupting heap memory on the connecting client. Successful exploitation gives the attacker arbitrary code execution on the client host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle aws-c-http as a dependency.

Available

Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and applies per-environment compliance policy weighting to prioritize routing. Triage tickets are available for delivery to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the corrected aws-c-http release the moment the upstream vendor ships one. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must operate a reachable server that the victim client connects to over the network; the vulnerable code path is triggered during an HTTP/2 session initiated by the client.
AuthenticationNot required
No credentials or account are needed; the attacker only needs to serve a crafted HTTP/2 response to any connecting client.
Victim interactionRequired
A user or automated process must initiate a connection to the attacker-controlled server, making this a social-engineering or supply-chain-redirect vector.
Attack complexityDetail
The exploit is reliable and imposes no race-condition or environmental precondition beyond the client initiating an HTTP/2 connection.

Blast Radius

Arbitrary code executes in the context of the client application process that called into aws-c-http.
An attacker with code execution can read any data the client process holds in memory, including in-flight credentials, tokens, and response payloads.
The attacker can modify data the process writes, enabling tampering with outbound requests or local state.
The client process crashes or is fully taken over, disrupting any service that depends on it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-12043 has been published yet, HarborGuard continuously re-checks the advisory on every ingest cycle. The moment aws-c-http 0.11.0 or any remediated release is confirmed upstream, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that triggers a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth applying at the environment level include network-policy rules that restrict which servers client workloads may reach over HTTP/2, egress filtering to block connections to untrusted or unexpected origins, and disabling HTTP/2 negotiation in application configuration where the protocol is not strictly required. Customers whose compliance policy requires manual approval before any image change can still use HarborGuard findings to track exposure scope and prioritize the upgrade queue when the patch lands.

See how HarborGuard automates this

Affected packages

AWS / aws-c-http
≤ 0.10.15

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified