CVE-2026-10740 - Excessive memory allocation in s2n-quic
Bulletin ID: 2026-042-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/10/2026 11:15 AM PDT Description: s2n-quic is a Rust implementation of the QUIC protocol. We identified CVE-2026-10740, an issue of unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.82.0. An unauthenticated user can attempt to exhaust server memory on an s2n-quic endpoint by sending crafted CRYPTO frames with high offsets. The buffer used for processing CRYPTO frames does not enforce a maximum size. In the worst case, a single 1200-byte packet can cause approximately 9.4 MB of allocation. By repeatedly sending such packets, the resulting memory pressure could cause denial of service. No valid handshake is required. Impacted versions: < v1.82.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
AI Analysis
Technical Summary
AWS CDK (aws-cdk-lib) versions before 2.245.0 (2.246.0 on Windows) contain an OS command injection vulnerability (CVE-2026-11417) in the NodejsFunction local bundling pipeline. This vulnerability arises when an attacker controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs), allowing injection of shell metacharacters and execution of arbitrary commands on the host running the CDK toolchain. The vulnerability requires the attacker to have control over these bundling properties within the CDK application. AWS has addressed this issue in versions 2.245.0 and later (2.246.0 on Windows).
Potential Impact
An attacker who can control the specified bundling properties in the aws-cdk-lib NodejsFunction bundling pipeline can execute arbitrary OS commands on the host machine running the CDK toolchain. This could lead to unauthorized command execution and potential compromise of the host environment where the CDK toolchain is executed.
Mitigation Recommendations
AWS has released fixed versions 2.245.0 (2.246.0 on Windows) that resolve this vulnerability. The recommended mitigation is to upgrade aws-cdk-lib to these versions or later. Additionally, ensure that values passed to NodejsFunction bundling properties come only from trusted sources and audit any third-party constructs or pull requests that set these properties. Upgrading to a fixed version is the preferred remediation.
CVE-2026-10740 - Excessive memory allocation in s2n-quic
Description
Bulletin ID: 2026-042-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/10/2026 11:15 AM PDT Description: s2n-quic is a Rust implementation of the QUIC protocol. We identified CVE-2026-10740, an issue of unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.82.0. An unauthenticated user can attempt to exhaust server memory on an s2n-quic endpoint by sending crafted CRYPTO frames with high offsets. The buffer used for processing CRYPTO frames does not enforce a maximum size. In the worst case, a single 1200-byte packet can cause approximately 9.4 MB of allocation. By repeatedly sending such packets, the resulting memory pressure could cause denial of service. No valid handshake is required. Impacted versions: < v1.82.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AWS CDK (aws-cdk-lib) versions before 2.245.0 (2.246.0 on Windows) contain an OS command injection vulnerability (CVE-2026-11417) in the NodejsFunction local bundling pipeline. This vulnerability arises when an attacker controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs), allowing injection of shell metacharacters and execution of arbitrary commands on the host running the CDK toolchain. The vulnerability requires the attacker to have control over these bundling properties within the CDK application. AWS has addressed this issue in versions 2.245.0 and later (2.246.0 on Windows).
Potential Impact
An attacker who can control the specified bundling properties in the aws-cdk-lib NodejsFunction bundling pipeline can execute arbitrary OS commands on the host machine running the CDK toolchain. This could lead to unauthorized command execution and potential compromise of the host environment where the CDK toolchain is executed.
Mitigation Recommendations
AWS has released fixed versions 2.245.0 (2.246.0 on Windows) that resolve this vulnerability. The recommended mitigation is to upgrade aws-cdk-lib to these versions or later. Additionally, ensure that values passed to NodejsFunction bundling properties come only from trusted sources and audit any third-party constructs or pull requests that set these properties. Upgrading to a fixed version is the preferred remediation.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-041-aws/","fetched":true,"fetchedAt":"2026-06-10T18:07:49.548Z","wordCount":240}
Threat ID: 6a29a7f51a07ffb497d9e114
Added to database: 6/10/2026, 6:07:49 PM
Last enriched: 6/10/2026, 6:07:55 PM
Last updated: 6/10/2026, 7:55:29 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.