CVE-2026-3336

HIGH

AWS-LC <1.69.0 - Auth Bypass

Title source: llm

Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/2026-005-AWS/

[Release Notes] https://github.com/aws/aws-lc/releases/tag/v1.69.0

[Vendor Advisory] https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-295

Status published

Affected Products (1)

aws/aws_libcrypto < 1.69.0

Timeline

Published Mar 02, 2026

Tracked Since Mar 03, 2026