Skip to main content

AWS CVE-2026-3337

MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-03-02 ff89ba41-3aa1-4d27-914a-91399e9639e5 GHSA-65p9-r9h6-22vj
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 02, 2026 - 22:16 nvd
MEDIUM 5.9

DescriptionCVE.org

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

AnalysisAI

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

Technical ContextAI

Affects Aws-Lc-Fips-Sys. Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in AWS

View all
CVE-2026-27702 CRITICAL POC
9.9 Feb 25

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal

CVE-2020-37153 CRITICAL POC
9.8 Feb 11

Multiple vulnerabilities in ASTPP 4.0.1 including XSS and command injection in SIP device configuration and plugin manag

CVE-2019-25333 HIGH POC
7.5 Feb 12

Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to

CVE-2026-25492 MEDIUM POC
6.5 Feb 09

Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_im

CVE-2025-20286 CRITICAL
9.9 Jun 04

Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.

CVE-2020-37114 MEDIUM POC
4.3 Feb 03

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system

CVE-2025-52454 HIGH
8.2 Jul 25

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2025-61916 HIGH
7.9 Jan 05

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.

CVE-2025-4960 HIGH
7.8 Feb 19

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege esca

CVE-2025-15115 MEDIUM
6.5 Jan 04

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows una

CVE-2026-22239 MEDIUM
5.3 Jan 14

BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-3337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy