Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
AWS SDK for Go v2 Crashes from Malformed EventStream Response
GHSA-xmrv-pmrh-hhx2
Summary
A malicious response from AWS can cause the Go SDK to crash, potentially disrupting services. This issue affects older versions of the AWS SDK for Go v2. To fix it, update to the latest version of the SDK, which was released on March 23, 2026. If you're using an older version, upgrade as soon as possible to prevent potential crashes.
What to do
- Update aws github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to version 1.7.8.
- Update aws github.com/aws/aws-sdk-go-v2/service/bedrockagentcore to version 1.15.2.
- Update aws github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime to version 1.51.8.
- Update aws github.com/aws/aws-sdk-go-v2/service/bedrockruntime to version 1.50.4.
- Update aws github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs to version 1.65.0.
- Update aws github.com/aws/aws-sdk-go-v2/service/iotsitewise to version 1.52.19.
- Update aws github.com/aws/aws-sdk-go-v2/service/kinesis to version 1.43.5.
- Update aws github.com/aws/aws-sdk-go-v2/service/lambda to version 1.88.5.
- Update aws github.com/aws/aws-sdk-go-v2/service/lexruntimev2 to version 1.35.15.
- Update aws github.com/aws/aws-sdk-go-v2/service/s3 to version 1.97.3.
- Update aws github.com/aws/aws-sdk-go-v2/service/sagemakerruntime to version 1.39.6.
- Update aws github.com/aws/aws-sdk-go-v2/service/transcribestreaming to version 1.34.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aws | github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream | <= 1.7.8 | 1.7.8 |
| aws | github.com/aws/aws-sdk-go-v2/service/bedrockagentcore | <= 1.15.2 | 1.15.2 |
| aws | github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime | <= 1.51.8 | 1.51.8 |
| aws | github.com/aws/aws-sdk-go-v2/service/bedrockruntime | <= 1.50.4 | 1.50.4 |
| aws | github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs | <= 1.65.0 | 1.65.0 |
| aws | github.com/aws/aws-sdk-go-v2/service/iotsitewise | <= 1.52.19 | 1.52.19 |
| aws | github.com/aws/aws-sdk-go-v2/service/kinesis | <= 1.43.5 | 1.43.5 |
| aws | github.com/aws/aws-sdk-go-v2/service/lambda | <= 1.88.5 | 1.88.5 |
| aws | github.com/aws/aws-sdk-go-v2/service/lexruntimev2 | <= 1.35.15 | 1.35.15 |
| aws | github.com/aws/aws-sdk-go-v2/service/s3 | <= 1.97.3 | 1.97.3 |
| aws | github.com/aws/aws-sdk-go-v2/service/sagemakerruntime | <= 1.39.6 | 1.39.6 |
| aws | github.com/aws/aws-sdk-go-v2/service/transcribestreaming | <= 1.34.5 | 1.34.5 |
Original title
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
Original description
**CVSSv3.1 Rating**: [Medium]
**CVSSv3.1 Score**: [5.9]
**CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]
## Summary and Impact
An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.
Impacted versions: < [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23)
## Patches
This issue has been addressed in versions [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
## Workarounds
Not Applicable
## References
If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
**CVSSv3.1 Score**: [5.9]
**CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]
## Summary and Impact
An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.
Impacted versions: < [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23)
## Patches
This issue has been addressed in versions [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
## Workarounds
Not Applicable
## References
If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
osv CVSS3.1
5.9
Vulnerability type
CWE-20
Improper Input Validation
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026