CVE-2026-3338
HIGHAWS-LC < 1.69.0 - Improper Verification of Cryptographic Signature in PKCS7_verify()
Title source: llmDescription
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
References (3)
Core 3
Core References
Various Sources vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
Release Notes patch
https://github.com/aws/aws-lc/releases/tag/v1.69.0
Vendor Advisory third-party-advisory
https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj
Scores
CVSS v3
7.5
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (2)
amazon/aws-lc-sys
0.24.0 - 0.38.0
amazon/aws_libcrypto
1.41.0 - 1.69.0
Published
Mar 02, 2026
Tracked Since
Mar 03, 2026