CVE-2026-3336

HIGH

AWS-LC <1.69.0 - Auth Bypass

Title source: llm

Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/2026-005-AWS/

[Release Notes] https://github.com/aws/aws-lc/releases/tag/v1.69.0

[Vendor Advisory] https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (3)

amazon/aws-lc-sys 0.24.0 - 0.38.0

amazon/aws_libcrypto 1.41.0 - 1.69.0

aws/aws_libcrypto 1.41.0 - 1.69.0

Published Mar 02, 2026

Tracked Since Mar 03, 2026