CVE-2026-22611: AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value

January 9, 2026 (updated January 11, 2026)

This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value.

A defense-in-depth enhancement has been implemented in the AWS SDK for .NET v4. This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on Nov 21, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security.

References

github.com/advisories/GHSA-9cvc-h2w8-phrp
github.com/aws/aws-sdk-net
github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp
nvd.nist.gov/vuln/detail/CVE-2026-22611

Code Behaviors & Features

Detect and mitigate CVE-2026-22611 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →