Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.
To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
AnalysisAI
A logic error in AWS-LC's CRL (Certificate Revocation List) distribution point validation causes the cryptographic library to incorrectly reject partitioned CRLs as out of scope, allowing revoked certificates to bypass certificate revocation checks. This authentication bypass vulnerability affects AWS-LC versions before 1.71.0 and AWS-LC-FIPS versions before 3.3.0, potentially allowing attackers to use revoked certificates for unauthorized access to systems that rely on AWS-LC for certificate validation. No active exploitation has been reported in KEV, and no EPSS score is available yet.
Technical ContextAI
AWS-LC is Amazon's fork of BoringSSL, a cryptographic library used for TLS/SSL implementations and certificate validation. The vulnerability stems from a logic error (CWE-299: Improper Check for Certificate Revocation) in how the library validates Certificate Revocation List distribution points, specifically when dealing with partitioned CRLs - a mechanism where large CRLs are split into smaller segments for efficiency. The affected products are identified through CPE as cpe:2.3:a:aws:aws-lc:*:*:*:*:*:*:*:* (versions before 1.71.0) and cpe:2.3:a:aws:aws-lc-fips:*:*:*:*:*:*:*:* (versions before 3.3.0). This flaw allows certificates that should be marked as revoked to be accepted as valid, undermining the entire certificate revocation infrastructure.
RemediationAI
Upgrade AWS-LC to version 1.71.0 or later, or AWS-LC-FIPS to version 3.3.0 or later as detailed in the vendor's security bulletin at https://aws.amazon.com/security/security-bulletins/2026-010-AWS/. The patched versions are available at https://github.com/aws/aws-lc/releases/tag/v1.71.0. As an interim mitigation, organizations could disable partitioned CRL checking if feasible, though this may impact performance with large CRLs. Additionally, implement defense-in-depth measures such as certificate pinning for critical services and monitor for unexpected certificate usage patterns. Given the authentication bypass nature of this vulnerability, expedite patching for internet-facing services that rely on certificate revocation for access control.
Same weakness CWE-299 – Improper Check for Certificate Revocation
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13237
GHSA-9f94-5g5w-gf6r