Security advisory

AWS RDS for MariaDB heap buffer overflow

Heap buffer overflow in the JSON schema validation logic of Amazon RDS for MariaDB. One Octelligence instance was affected and has been patched.

Status: Patched Severity: High Vendor: AWS Advisory published: 2026-05-20 Octelligence patched: 2026-05-21 Customer action: None

No customer action is required. Octelligence's affected RDS MariaDB instance was upgraded to RDS MariaDB 11.8.6 on May 21, 2026, within one day of AWS publishing the advisory. No customer data was at risk during the window.

Summary

On May 20, 2026, AWS published an advisory regarding a heap buffer overflow in the JSON schema validation logic of Amazon RDS for MariaDB. The vulnerability affects RDS MariaDB versions 11.4.2 through 11.4.9, 11.7.1, and 11.8.1 through 11.8.5. AWS released patched versions, 11.4.10 and 11.8.6, on February 19, 2026, several months before broadly notifying affected customers.

The advisory was delivered to Octelligence through the AWS Health Dashboard for our us-east-1 account, indicating one affected resource. Action was marked required.

Octelligence impact

Octelligence runs portions of its production infrastructure on Amazon RDS for MariaDB. One instance in our us-east-1 deployment was running an affected version when the advisory was published. The instance was upgraded to RDS MariaDB 11.8.6 on May 21, 2026, within one day of receiving the advisory.

We reviewed activity logs for the full window during which the affected version was running (February 19, 2026 through May 21, 2026) and identified no anomalous activity consistent with exploitation of this vulnerability. We assess that no customer data was accessed or at risk.

Timeline

  1. AWS releases patched MariaDB versions (11.4.10, 11.8.6) without broad customer notification.
  2. AWS publishes the security advisory to affected customers through the Health Dashboard.
  3. Octelligence receives the advisory and begins remediation within hours.
  4. Affected instance upgraded to RDS MariaDB 11.8.6. Auto-minor-version-upgrade enabled going forward. Activity logs reviewed for the affected window.
  5. This advisory published.

Remediation completed by Octelligence

  • Affected RDS instance upgraded to RDS MariaDB 11.8.6 via the AWS Management Console
  • Pre-upgrade snapshot taken per standard change-management procedure
  • Auto-minor-version-upgrade enabled on the instance to receive future patches automatically
  • Activity logs reviewed for the affected window; no anomalous activity detected
  • Service downtime during the rolling restart: under one minute
  • Internal change record filed and linked to the AWS Health Dashboard event ID

Customer action required

None. The vulnerability and the fix are entirely at the database-infrastructure layer. No customer-side configuration, library update, or password change is needed.

What we changed about how we handle these

This advisory was issued by AWS on May 20, 2026, three months after the patched versions were released on February 19, 2026. During that window, the affected instance continued to run the older minor version because auto-minor-version-upgrade was not enabled.

As part of this remediation we enabled auto-minor-version-upgrade on the affected instance and have audited the same setting across our remaining RDS fleet. We have also added a weekly review of the AWS Health Dashboard to our internal operations calendar.

References

Questions about this advisory? Email security@octelligence.com. To see all security advisories, visit the advisories index. To report a vulnerability you've found, see our responsible disclosure policy.