AWS
CVE-2026-3337
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
AnalysisAI
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.
Technical ContextAI
Affects Aws-Lc-Fips-Sys. Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal
Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin manag
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to
Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_im
Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.
GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system
Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.
The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege esca
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows una
BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh
Same weakness CWE-208 – Observable Timing Discrepancy
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-65p9-r9h6-22vj