Skip to main content

AWS-LC CVE-2026-3336

HIGH
Improper Certificate Validation (CWE-295)
2026-03-02 ff89ba41-3aa1-4d27-914a-91399e9639e5 GHSA-vw5v-4f2q-w9xf
8.7
CVSS 4.0 · Vendor: ff89ba41-3aa1-4d27-914a-91399e9639e5
Share

Severity by source

Vendor (ff89ba41-3aa1-4d27-914a-91399e9639e5) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated, no interaction (AV:N/AC:L/PR:N/UI:N); integrity-only certificate-validation bypass with no confidentiality or availability impact (C:N/I:H/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (ff89ba41-3aa1-4d27-914a-91399e9639e5).

CVSS VectorVendor: ff89ba41-3aa1-4d27-914a-91399e9639e5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 05:14 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:10 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:09 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:08 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 02, 2026 - 22:16 nvd
HIGH 7.5

DescriptionCVE.org

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

AnalysisAI

Certificate chain verification bypass in AWS-LC, Amazon's libcrypto/BoringSSL-derived cryptographic library, lets unauthenticated attackers forge trust in PKCS7 objects carrying multiple signers: PKCS7_verify() validates only the final signer and skips chain verification for all preceding signers (CWE-295). Affected applications can be tricked into accepting signed data whose earlier signers chain to untrusted or invalid certificates. There is no public exploit identified at time of analysis, EPSS is low (0.03%, 10th percentile), and AWS-managed services are unaffected per the vendor, but the flaw is fixed in AWS-LC 1.69.0.

Technical ContextAI

AWS-LC is Amazon's general-purpose cryptographic library (forked from BoringSSL/OpenSSL) used by AWS services and third-party applications, exposed here through the aws-lc-sys Rust bindings and the aws_libcrypto component (CPEs cpe:2.3:a:amazon:aws-lc-sys and cpe:2.3:a:amazon:aws_libcrypto). PKCS7 (RFC 2315/CMS) supports detached or enveloped signatures with one or more SignerInfo structures, and PKCS7_verify() is responsible for validating each signer's certificate up to a trusted root. The root cause is CWE-295 Improper Certificate Validation: the implementation only performs chain verification for the last signer in a multi-signer PKCS7 structure, leaving every earlier signer's certificate chain unchecked, so a signature that appears valid does not guarantee its certificate is actually trusted.

RemediationAI

Vendor-released patch: AWS-LC version 1.69.0 - upgrade all applications and dependencies (including the aws-lc-sys Rust crate) to 1.69.0 or later, per the release at https://github.com/aws/aws-lc/releases/tag/v1.69.0 and the GitHub advisory https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp. Red Hat users should apply RHSA-2026:5459 (https://access.redhat.com/errata/RHSA-2026:5459). If immediate upgrade is not possible, a targeted compensating control is to avoid relying on PKCS7_verify() for multi-signer PKCS7 objects: reject PKCS7 structures containing more than one SignerInfo, or independently re-verify every signer's certificate chain in application code rather than trusting the library result; the trade-off is added application logic and possible rejection of legitimate multi-signer messages. AWS-managed service customers need take no action per the vendor bulletin (https://aws.amazon.com/security/security-bulletins/2026-005-AWS/).

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-3336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy