A high-severity memory corruption vulnerability in the AWS Common Runtime aws-c-http library could allow remote attackers to achieve arbitrary code execution on client applications.

The vulnerability stems from improper handling of HPACK dynamic table size updates within HTTP/2 HEADERS frames. A malicious server can send a crafted sequence of frames to trigger a double-free condition in the client, potentially resulting in memory corruption and arbitrary code execution.

The CVSS score of 8.8 reflects the high potential for remote code execution, which could lead to full system compromise of any client application utilizing the vulnerable library. This poses a severe threat to the integrity and availability of client-side operations that interact with potentially untrusted HTTP/2 servers.

Immediate Action: Update the aws-c-http library to version 0.11.0 or later.

Proactive Monitoring: Monitor client application logs for crashes or unexpected process behavior that may indicate memory corruption attempts.

Compensating Controls: Restrict client-side connections to trusted, verified servers and employ memory protection features (e.g., ASLR, DEP) on host systems.

Public Exploit Available: null

Given the potential for arbitrary code execution, this library should be updated across all affected client applications immediately. Security teams should prioritize identifying all software dependencies that include the AWS Common Runtime to ensure comprehensive coverage.