Describe the bug
The AWS CLI v2 Linux installer bundles its own Python interpreter as
/usr/local/aws-cli/v2/<version>/dist/libpython3.14.so.1.0. The current
release (2.35.4) still bundles Python 3.14.5, which is flagged by container
image scanners for the following CPython CVEs:
- CVE-2026-7210 (Critical) — xml.parsers.expat / xml.etree insufficient
entropy (XML hash-flooding)
- CVE-2026-6100 (Critical) — use-after-free in lzma/bz2/gzip decompressors
after MemoryError
- CVE-2026-9669 (High) — Python
All three are fixed in CPython 3.14.6 (released 2026-06-10). Any container
image that installs the official AWS CLI v2 fails security scans because of
the bundled libpython3.14, even though the rest of the image is clean.
This is the same class of issue as #10209 (bundled Python 3.14.3 →
CVE-2026-4519),
which was resolved by rebuilding the installer against a patched Python.
Regression Issue
Expected Behavior
The AWS CLI v2 installer bundles a patched CPython interpreter (3.14.6 or
later), so that the bundled libpython3.14.so.1.0 is no longer reported for
CVE-2026-7210, CVE-2026-6100, and CVE-2026-9669.
Current Behavior
The latest AWS CLI v2 (2.35.4) still bundles Python 3.14.5. A scan of the
installed dist directory reports:
CVE-2026-7210 Critical python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
CVE-2026-6100 Critical python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
CVE-2026-9669 High python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
The most recent bundled-Python upgrade in the changelog is 2.34.52
("Upgraded bundled Python interpreter to version 3.14.5"); nothing since has
moved it to 3.14.6.
Reproduction Steps
-
Install AWS CLI v2 on Linux via the official installer:
curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip"
-o awscliv2.zip
unzip awscliv2.zip && sudo ./aws/install
-
Scan the installed directory with any CVE scanner, e.g. Trivy:
trivy fs /usr/local/aws-cli/
(or Grype: grype dir:/usr/local/aws-cli/)
-
Observe CVE-2026-7210, CVE-2026-6100, and CVE-2026-9669 reported against
the bundled /usr/local/aws-cli/v2//dist/libpython3.14.so.1.0
(Python 3.14.5).
Possible Solution
Rebuild the AWS CLI v2 installer with the bundled CPython interpreter
upgraded to 3.14.6 or later (which contains the fixes for all three CVEs),
and publish it as a new 2.x.y release, as was done for #10209.
Additional Information/Context
CLI version used
aws-cli/2.35.4 (also reproduces on 2.34.37); bundled Python 3.14.5
Environment details (OS name and version, etc.)
Linux, container images (Ubuntu 24.04 base), linux/amd64 and linux/arm64. Installed via the official awscli-exe-linux-.zip installer.
Describe the bug
The AWS CLI v2 Linux installer bundles its own Python interpreter as
/usr/local/aws-cli/v2/<version>/dist/libpython3.14.so.1.0. The currentrelease (2.35.4) still bundles Python 3.14.5, which is flagged by container
image scanners for the following CPython CVEs:
entropy (XML hash-flooding)
after MemoryError
All three are fixed in CPython 3.14.6 (released 2026-06-10). Any container
image that installs the official AWS CLI v2 fails security scans because of
the bundled libpython3.14, even though the rest of the image is clean.
This is the same class of issue as #10209 (bundled Python 3.14.3 →
CVE-2026-4519),
which was resolved by rebuilding the installer against a patched Python.
Regression Issue
Expected Behavior
The AWS CLI v2 installer bundles a patched CPython interpreter (3.14.6 or
later), so that the bundled libpython3.14.so.1.0 is no longer reported for
CVE-2026-7210, CVE-2026-6100, and CVE-2026-9669.
Current Behavior
The latest AWS CLI v2 (2.35.4) still bundles Python 3.14.5. A scan of the
installed dist directory reports:
CVE-2026-7210 Critical python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
CVE-2026-6100 Critical python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
CVE-2026-9669 High python 3.14.5
/usr/local/aws-cli/v2/2.35.4/dist/libpython3.14.so.1.0
The most recent bundled-Python upgrade in the changelog is 2.34.52
("Upgraded bundled Python interpreter to version 3.14.5"); nothing since has
moved it to 3.14.6.
Reproduction Steps
Install AWS CLI v2 on Linux via the official installer:
curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip"
-o awscliv2.zip
unzip awscliv2.zip && sudo ./aws/install
Scan the installed directory with any CVE scanner, e.g. Trivy:
trivy fs /usr/local/aws-cli/
(or Grype: grype dir:/usr/local/aws-cli/)
Observe CVE-2026-7210, CVE-2026-6100, and CVE-2026-9669 reported against
the bundled /usr/local/aws-cli/v2//dist/libpython3.14.so.1.0
(Python 3.14.5).
Possible Solution
Rebuild the AWS CLI v2 installer with the bundled CPython interpreter
upgraded to 3.14.6 or later (which contains the fixes for all three CVEs),
and publish it as a new 2.x.y release, as was done for #10209.
Additional Information/Context
bundles libexpat 2.8.1.
/ Grype
policy gates) for every image that ships the official AWS CLI v2, on both
linux/amd64 and linux/arm64.
CLI version used
aws-cli/2.35.4 (also reproduces on 2.34.37); bundled Python 3.14.5
Environment details (OS name and version, etc.)
Linux, container images (Ubuntu 24.04 base), linux/amd64 and linux/arm64. Installed via the official awscli-exe-linux-.zip installer.