A heap double-free vulnerability (CVE-2026-12043) has been identified in the AWS Common Runtime HTTP client library, affecting a wide range of AWS SDK versions for C++ and Java v2. A malicious server could exploit this by sending crafted HTTP/2 HEADERS frames to trigger memory corruption on a connecting client, potentially achieving arbitrary code execution. The vulnerability affects aws-c-http versions 0.4.22 through 0.10.15 and is exposed in widely used SDK releases.

Security Architect’s Take: Audit your build pipelines and application dependencies immediately to identify use of affected aws-sdk-cpp (1.11.41–1.11.814) or aws-sdk-java-v2 (2.44.27–2.44.14) versions, and prioritise upgrading to patched releases — particularly for any workloads that connect to third-party or untrusted HTTP/2 endpoints using these SDKs.

Original advisory: CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http