🥖 Palette Cleanser

Last week I joined the chrous of folks screaming fire about Mythos. This week I'm going to pour some water over it. Davi Ottenheimer wrote a scathing takedown of Mythos and the Anthropic marketing of it. His main points are that the press-release "thousands of zero-days" number doesn't actually appear anywhere in the 244-page system card in reference to vulnerabilities, there is no CVE list or severity breakdown, and the flagship Firefox demo ran against a sandboxless harness using vulns handed over from Claude Opus 4.6 rather than anything Mythos found on its own. Strip the top two bugs out of that test set and the reported success rate drops from 72.4% to 4.4%. Also, an open-weight 3.6B active parameters model reproduced one of the showcased FreeBSD finds for just eleven cents per million tokens. Look, I haven't yet read the system card or used Mythos but I did read Davi's post and I'm definitely not taking this marketing stuff at face value. Not yet anyway.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Part 2 - CVE-2026-5429 AWS Kiro WebView XSS to Remote Code Execution by Dhiraj Mishra

  Kiro, AWS's VS Code agentic IDE, drops the workbench.colorTheme string into an inline script tag with no escaping and no Content Security Policy, so a malicious theme extension checked into a repo's .vscode/ folder runs arbitrary JavaScript in the Kiro webview the moment the project is opened. From there, the webview exposes a subprocess message handler that shells out, chaining theme-label XSS into full command execution as the developer. It's Dhiraj's second Kiro-to-RCE after the unquoted-workspace-path command injection in Part 1, and workspace-settings-as-attack-surface looks like a pattern worth watching.

• The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging by Maya Parizer

  Maya found that anonymous S3 requests from inside a VPC to an external bucket produced no CloudTrail event in the caller's account, whether the endpoint policy allowed the call or denied it. No management event, no data event, no Network Activity event on the caller side, so a compromised workload could quietly reach out to an attacker-owned bucket with nothing in its own CloudTrail mentioning it. AWS has since patched it to emit Network Activity events for these calls, and the writeup pairs nicely with the earlier VPC endpoint account-ID leak research for a full tour of how invisible this path used to be.

🥗 AWS security blogs

• 📣 Amazon WorkSpaces Personal and Amazon WorkSpaces Core are now available in two additional AWS Regions
• 📣 AWS Payment Cryptography now available in South America (São Paulo)
• Transform security logs into OCSF format using a configuration-driven ETL solution by Vivek Gautam
• Secure AI agent access patterns to AWS resources using Model Context Protocol by Riggs Goodman III

🍛 Reddit threads on r/aws

No threads this week.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• groundstation
• eks
• connect-campaigns
• cases
• cloudwatch
• personalize

🍪 API changes

• AWS Clean Rooms Service
• AmazonConnectCampaignServiceV2
• AWS Ground Station
• EC2 Image Builder
• Amazon QuickSight
• Amazon SageMaker Service
• Amazon AppStream
• Auto Scaling
• Amazon Bedrock AgentCore
• Amazon Cognito Identity Provider
• Amazon Connect Service
• Amazon Connect Customer Profiles
• Amazon DataZone
• AWS Elemental MediaConvert
• Amazon Relational Database Service
• Amazon Connect Customer Profiles
• AWSDeadlineCloud
• Interconnect
• Amazon Macie 2
• AWS SecurityHub

🍹 IAM managed policy changes

• AmazonEKSComputePolicy
• AWS_ConfigRole
• AWSConfigServiceRolePolicy
• AWSBatchServiceRolePolicyForSageMaker
• AWSObservabilityAdminTelemetryEnablementServiceRolePolicy
• AmazonEBSCSIDriverEKSClusterScopedPolicy
• AmazonEBSCSIDriverPolicyV2
• AmazonEKSServiceRolePolicy
• AmazonSageMakerNotebooksServiceRolePolicy
• AmazonSageMakerNotebooksServiceRolePolicy
• AmazonEBSCSIDriverPolicyV2
• AmazonEBSCSIDriverEKSClusterScopedPolicy
• AWSObservabilityAdminTelemetryEnablementServiceRolePolicy
• AWSBatchServiceRolePolicyForSageMaker
• AmazonEKSServiceRolePolicy
• AWSBedrockAgentCoreIdentityNetworkServiceRolePolicy
• AmazonEKSLoadBalancingPolicy

☕ CloudFormation resource changes

• AWS::CloudWatch::Alarm

🎮 Amazon Linux vulnerabilities

• CVE-2026-6507: dnsmasq - OOB write via crafted BOOTREPLY packet causing DoS
• CVE-2026-40170: ngtcp2 - stack buffer overflow in qlog transport parameter serialization
• CVE-2026-6409: protobuf - DoS via malformed messages with negative varints or deep recursion
• CVE-2026-41035: rsync - UAF in receive_xattr via untrusted length during qsort
• CVE-2026-40253: opencryptoki - OOB read in BER/DER decoders lacking buffer length validation
• CVE-2026-41080: expat - hash flooding DoS via insufficient entropy in crafted XML
• CVE-2026-27820: ruby - buffer overflow in Zlib::GzipReader zstream_buffer_ungets
• CVE-2026-40947: libfido2 - unintended DLL search path enabling code execution
• CVE-2026-30656: fio - null deref in str_fdp_pli_cb when parsing fdp_pli job option
• CVE-2026-3505: bouncycastle - pre-auth resource exhaustion via unbounded PGP AEAD chunk size
• CVE-2026-33999: xorg-x11-server - integer underflow in XkbSetCompatMap
• CVE-2026-34003: xorg-x11-server - buffer overflow in XKB CheckKeyTypes
• CVE-2026-40917: GIMP - heap buffer over-read in icns_slurp when parsing ICNS files
• CVE-2026-40192: python-pillow - DoS via unbounded GZIP decompression in FITS decoder
• CVE-2026-40915: GIMP - integer overflow in FITS loader leading to heap buffer overflow
• CVE-2026-40261: Composer - command injection via malicious Perforce source URL
• CVE-2026-40916: GIMP - stack buffer overflow in TIM 4BPP decoder causing DoS
• CVE-2026-6384: GIMP - buffer overflow in GIF ReadJeffsImage function
• CVE-2026-40918: GIMP - stack buffer overflow and OOB read in PVR image loader
• CVE-2026-5598: BouncyCastle - timing channel leaks FrodoKEM private key
• CVE-2026-5588: BouncyCastle - PKIX CompositeVerifier accepts empty signature sequences
• CVE-2026-39984: nerdctl/finch - Sigstore TSA leaf cert mismatch bypasses verification
• CVE-2026-34002: xorg-x11-server - OOB read in XKB CheckModifierMap()
• CVE-2026-40919: GIMP - buffer overflow in file-seattle-filmworks plugin causing DoS
• CVE-2026-34000: xorg-x11-server - OOB read in XKB CheckSetGeom()
• CVE-2026-40176: Composer - command injection via malicious Perforce repository definition
• CVE-2026-6245: SSSD - OOB read in pam_passkey_child_read_data crashes PAM responder
• CVE-2026-23666: .NET - race condition allows network DoS
• CVE-2026-33116: .NET - infinite loop allows network DoS
• CVE-2026-2332: Jetty - HTTP/1.1 chunked encoding parsing enables request smuggling
• CVE-2026-32178: .NET - spoofing via improper neutralization of special elements
• CVE-2026-32203: .NET - stack-based buffer overflow leading to DoS
• CVE-2026-26171: .NET - uncontrolled resource consumption causing DoS
• CVE-2026-5713: Python - remote debugging info disclosure via asyncio introspection
• CVE-2026-34001: xorg-x11-server - UAF in XSYNC miSyncTriggerFence
• CVE-2026-40164: jq - hash collision DoS via hardcoded MurmurHash3 seed
• CVE-2026-32226: .NET Framework - race condition causing DoS
• CVE-2026-33948: jq - validation bypass via NUL byte truncation in CLI input
• CVE-2026-33947: jq - unbounded recursion DoS in setpath/getpath/delpaths
• CVE-2026-31418: Linux kernel - netfilter ipset empty bucket handling in mtype_del
• CVE-2026-6100: Python - UAF in lzma, bz2, and gzip decompressors on MemoryError
• CVE-2026-31423: Linux kernel - divide-by-zero in net/sched sch_hfsc rtsc_min
• CVE-2026-39979: jq - OOB read in jv_parse_sized error-handling path
• CVE-2026-33555: haproxy - HTTP/3 request smuggling via missing content-length check
• CVE-2026-32316: jq - integer overflow causing heap buffer overflow in string concat
• CVE-2026-31416: Linux kernel - netfilter nfnetlink_log netlink header size miscalculation DoS
• CVE-2026-31428: Linux kernel - uninitialized padding info disclosure in netfilter nfnetlink_log NFULA_PAYLOAD
• CVE-2026-40310: ImageMagick - heap OOB write in JP2 encoder via invalid sampling index
• CVE-2026-33908: ImageMagick - stack exhaustion DoS via recursive XML tree destruction
• CVE-2026-39956: jq - missing type check in _strindices builtin causes crash or memory read
• CVE-2026-40169: ImageMagick - heap OOB write when writing YAML or JSON output from crafted image
• CVE-2026-31415: Linux kernel - integer overflow in IPv6 ip6_datagram_send_ctl
• CVE-2026-31417: Linux kernel - packet accumulation overflow in net/x25
• CVE-2026-31419: Linux kernel - UAF in bonding driver bond_xmit_broadcast
• CVE-2026-31427: Linux kernel - uninitialized rtp_addr use in netfilter nf_conntrack_sip process_sdp
• CVE-2026-40311: ImageMagick - heap UAF crash via invalid XMP profile data
• CVE-2026-34238: ImageMagick - integer overflow causing heap buffer overflow in despeckle on 32-bit
• CVE-2026-40312: ImageMagick - off-by-one crash in MSL decoder via malicious MSL file
• CVE-2026-31422: Linux kernel - null deref on shared blocks in cls_flow network scheduler
• CVE-2026-31421: Linux kernel - NULL pointer deref in net/sched cls_fw on shared blocks
• CVE-2026-33901: ImageMagick - heap buffer overflow in MVG decoder
• CVE-2026-31425: Linux kernel - RDS IB FRMR registration before IB connection established
• CVE-2026-31414: Linux kernel - netfilter nf_conntrack_expect helper misuse
• CVE-2026-4786: Python - command injection via webbrowser.open() URL bypass
• CVE-2026-6192: openjpeg2 - integer overflow in opj_pi_initialise_encode
• CVE-2026-31420: Linux kernel - bridge mrp OOM panic on zero test interval
• CVE-2026-33902: ImageMagick - stack overflow in FX expression parser via nested expressions
• CVE-2026-31424: Linux kernel - netfilter x_tables missing extension checks for NFPROTO_ARP
• CVE-2026-40183: ImageMagick - heap write overflow in JXL encoder with 16-bit floats
• CVE-2026-33900: ImageMagick - integer truncation in viff encoder causing heap corruption
• CVE-2026-31426: Linux kernel - missing cleanup on probe failure in acpi_ec_setup()
• CVE-2026-33899: ImageMagick - OOB write of single zero byte when parsing XML
• CVE-2026-33905: ImageMagick - OOB read in -sample operation via sample:offset

📺 AWS security bulletins

• Issues with AWS Research and Engineering Studio (RES)
• Issues with Amazon Athena ODBC Driver
• CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver
• CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
• CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
• CVE-2026-5190 - AWS C Event Stream Streaming Decoder Stack Buffer Overflow

🚬 Security documentation changes

• IAM: session policies do not support incomplete ARNs
• IAM: same session-policy ARN clarification on a second page
• Route53: DNS Firewall redirection trust is per-query only, follow-ups need explicit allow
• AppStream 2.0: Amazon Linux 2 images reach end of support 2026-04-15
• CLI: IAM role ARN pattern validation tightened
• CLI: same IAM role ARN tightening on a related command
• CLI: --user-id now optional and deprecated, resolved from the session
• Config: managed policies gained additional permissions across several services
• Connect: Chrome/Edge enterprise policy required for screen recording local network access
• EKS: new V2 EBS CSI driver policies add tag-based scoping
• EKS: docs now point at the V2 EBS CSI driver policy with migration guidance
• EKS: example output updated to the V2 EBS CSI driver policy ARN
• EMR: recreating the Identity Center role changes its principal ID and breaks downstream policies
• Inspector: GitLab PAT scopes reduced to api, read_api, and read_repository
• Athena: UseAwsLogger default flipped to 0, debug/trace logs can leak sensitive data
• EKS: EFS CSI driver IAM role split into separate controller and node roles
• Glue: tables may not inherit disabled optimizer state from catalog config
• Inspector: false-positive CVE findings from the SSM plugin documented