Severe/Critical Security Bulletins in the Last 7 Days
Ongoing updates on Copy.fail and variants
Bulletin ID: 2026-030-AWS
Publication Date: 2026-05-13
Summary: AWS is aware of the copy.fail or DirtyFrag class of issues, a set of privilege escalation issues affecting the Linux Kernel. AWS recommends applying all updates addressing these issues as soon as they are available.
CVE-2026-8596 & CVE-2026-8597 - Model artifact integrity verification issues in Amazon SageMaker Python SDK
Bulletin ID: 2026-031-AWS
Publication Date: 2026-05-14
Summary: Amazon SageMaker Python SDK had cleartext storage of sensitive information and missing integrity verification issues. Users should update to the latest versions.
CVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver
Bulletin ID: 2026-033-AWS
Publication Date: 2026-05-18
Summary: A code injection issue in the amazon-redshift-python-driver could allow a rogue server or man-in-the-middle to execute arbitrary code on the client. Update to version 2.1.14 or later.
CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
Bulletin ID: 2026-034-AWS
Publication Date: 2026-05-20
Summary: The rabbitmq-aws plugin had an active debug code issue that allowed remote authenticated users to perform arbitrary file reads. Update to the latest version.
CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
Bulletin ID: 2026-032-AWS
Publication Date: 2026-05-15
Summary: An issue in coreMQTT MQTT v5.0 SUBACK and UNSUBACK property parser allowed a denial of service via heap out-of-bounds read. Update to version 5.0.1 or later.
CVE-2026-7424 - Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
Bulletin ID: 2026-022-AWS
Publication Date: 2026-04-29
Summary: An integer underflow issue in the DHCPv6 sub-option parser could allow an adjacent network user to corrupt device configurations and cause a denial of service. Update to the latest version.
CVE-2026-7191 - Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
Bulletin ID: 2026-020-AWS
Publication Date: 2026-04-27
Summary: An improper use of the static-eval npm package allowed an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. Update to version 7.2.4 or later.
CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Bulletin ID: 2026-017-AWS
Publication Date: 2026-04-20
Summary: A cryptographic algorithm downgrade in the caching layer of the AWS Encryption SDK for Python could allow an authenticated local threat actor to bypass key commitment policy enforcement. Update to version 3.3.1 or later.
CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
Bulletin ID: 2026-015-AWS
Publication Date: 2026-04-07
Summary: An out-of-bounds write issue in the virtio PCI transport in Firecracker could allow a local guest user to crash the VMM process or execute arbitrary code on the host. Update to the latest version.
CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
Bulletin ID: 2026-012-AWS
Publication Date: 2026-04-02
Summary: Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE allowed a remote unauthenticated threat actor to execute arbitrary code. Update to version 0.8.140 or later.
CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error
Bulletin ID: 2026-010-AWS
Publication Date: 2026-03-19
Summary: A logic error in the CRL distribution point matching in AWS-LC allowed a revoked certificate to bypass revocation checks. Update to the latest version.
Summary: A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit allowed a remote actor to inject code during the build process. Update to version 0.1.1