Description
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Scores
CVSS v3
5.9
EPSS
0.0004
EPSS Percentile
11.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-208
Status
published
Products (6)
amazon/aws-lc-fips-sys
0.13.0 - 0.13.12
amazon/aws-lc-sys
0.14.0 - 0.38.0
amazon/aws_libcrypto
1.21.0 - 1.69.0
amazon/aws_libcrypto
3.0.0 - 3.2.0
aws/aws_libcrypto
1.21.0 - 1.69.0
aws/aws_libcrypto
3.0.0 - 3.2.0
Published
Mar 02, 2026
Tracked Since
Mar 03, 2026