Skip to main content

Red Hat EUVDEUVD-2026-13237

| CVE-2026-4428 HIGH
Improper Check for Certificate Revocation (CWE-299)
2026-03-19 AMZN GHSA-9f94-5g5w-gf6r
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 19, 2026 - 21:00 euvd
EUVD-2026-13237
Analysis Generated
Mar 19, 2026 - 21:00 vuln.today
Patch released
Mar 19, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 19, 2026 - 20:37 nvd
HIGH 7.4

DescriptionCVE.org

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.

To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

AnalysisAI

A logic error in AWS-LC's CRL (Certificate Revocation List) distribution point validation causes the cryptographic library to incorrectly reject partitioned CRLs as out of scope, allowing revoked certificates to bypass certificate revocation checks. This authentication bypass vulnerability affects AWS-LC versions before 1.71.0 and AWS-LC-FIPS versions before 3.3.0, potentially allowing attackers to use revoked certificates for unauthorized access to systems that rely on AWS-LC for certificate validation. No active exploitation has been reported in KEV, and no EPSS score is available yet.

Technical ContextAI

AWS-LC is Amazon's fork of BoringSSL, a cryptographic library used for TLS/SSL implementations and certificate validation. The vulnerability stems from a logic error (CWE-299: Improper Check for Certificate Revocation) in how the library validates Certificate Revocation List distribution points, specifically when dealing with partitioned CRLs - a mechanism where large CRLs are split into smaller segments for efficiency. The affected products are identified through CPE as cpe:2.3:a:aws:aws-lc:*:*:*:*:*:*:*:* (versions before 1.71.0) and cpe:2.3:a:aws:aws-lc-fips:*:*:*:*:*:*:*:* (versions before 3.3.0). This flaw allows certificates that should be marked as revoked to be accepted as valid, undermining the entire certificate revocation infrastructure.

RemediationAI

Upgrade AWS-LC to version 1.71.0 or later, or AWS-LC-FIPS to version 3.3.0 or later as detailed in the vendor's security bulletin at https://aws.amazon.com/security/security-bulletins/2026-010-AWS/. The patched versions are available at https://github.com/aws/aws-lc/releases/tag/v1.71.0. As an interim mitigation, organizations could disable partitioned CRL checking if feasible, though this may impact performance with large CRLs. Additionally, implement defense-in-depth measures such as certificate pinning for critical services and monitor for unexpected certificate usage patterns. Given the authentication bypass nature of this vulnerability, expedite patching for internet-facing services that rely on certificate revocation for access control.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-13237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy