AWS RES patch emergency

A managed cloud service still runs on ordinary computers underneath, and ordinary computers still do dangerous things when they trust the wrong input. On April 6, 2026, Amazon Web Services published bulletin 2026-014-AWS for three flaws in Research and Engineering Studio, its web portal for spinning up shared research desktops in the cloud. (aws.amazon.com) Research and Engineering Studio is the front desk for scientists and engineers who need Windows or Linux desktops without building cloud infrastructure by hand. Amazon says the service lets admins create projects, set budgets, and hand users virtual desktops backed by Amazon Elastic Compute Cloud machines and Amazon DCV remote display sessions. (aws.amazon.com) That setup matters because a web portal like this sits between a user clicking buttons and a real machine obeying those clicks. If the portal passes the wrong text into an operating system command, the machine can treat a username or session name like instructions instead of data. (nvd.nist.gov) The first bug, CVE-2026-5707, was in virtual desktop session names, which are the labels users give to desktops they launch. Amazon says versions 2025.03 through 2025.12.01 could let an authenticated user send a crafted session name that executes arbitrary commands as root on the virtual desktop host. (aws.amazon.com) Root is the top account on a Linux machine, like having the master key instead of a room key. The National Vulnerability Database lists Amazon’s score for CVE-2026-5707 at 8.8 out of 10 under Common Vulnerability Scoring System version 3.1, with low attack complexity and no user interaction required after login. (nvd.nist.gov) The second bug, CVE-2026-5708, was not about typing commands directly. Amazon says the session creation component let an authenticated user tamper with user-controlled attributes in a crafted application programming interface request and assume the Virtual Desktop Host instance profile, which is the cloud role that tells the machine what other Amazon Web Services resources it may access. (aws.amazon.com) That kind of bug is a cloud version of borrowing the building manager’s badge instead of picking a lock. Amazon says the flaw could let the attacker interact with other Amazon Web Services services and resources using the desktop host’s permissions, which turns one compromised session into a wider account risk. (aws.amazon.com) The third bug, CVE-2026-5709, lived in the FileBrowser application programming interface, the part that handles file operations from the web interface. Amazon says versions 2024.10 through 2025.12.01 could let an authenticated user send crafted input that executes arbitrary commands on the cluster-manager Amazon Elastic Compute Cloud instance. (aws.amazon.com) Amazon fixed all three in Research and Engineering Studio version 2026.03, and the March 2026 release notes describe the same repairs in plain product language: a FileBrowser privilege escalation fix, a session-name remote code execution fix, and a session-creation fix for external instance profile abuse. (docs.aws.amazon.com) Amazon also told customers not to stop at the vendor patch if they run modified copies. The bulletin says anyone using forked or derivative code should patch those copies too, which is a reminder that open-source infrastructure can drift away from the upstream fix even when the original project moves quickly. (aws.amazon.com) This is also one of those cases where “managed service” does not mean “nothing to manage.” Amazon’s own deployment guide says security is a shared responsibility, and Research and Engineering Studio deployments create Identity and Access Management roles, Active Directory integrations, and desktop hosts inside the customer’s account, so a bad permission boundary can turn a product bug into a bigger blast radius. (docs.aws.amazon.com) The short version is that the attack started with a valid login, not an internet-wide worm. That means the boring controls matter most here: patch to version 2026.03, review who can create sessions, tighten the roles attached to desktop hosts, and watch Amazon Web Services security bulletins closely enough that a fix published on April 6 does not sit untouched for weeks. (aws.amazon.com)