CVE-2026-3338

HIGH

AWS-LC <1.69.0 - Auth Bypass

Title source: llm

Description

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/2026-005-AWS/

[Release Notes] https://github.com/aws/aws-lc/releases/tag/v1.69.0

[Vendor Advisory] https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (2)

amazon/aws-lc-sys 0.24.0 - 0.38.0

amazon/aws_libcrypto 1.41.0 - 1.69.0

Published Mar 02, 2026

Tracked Since Mar 03, 2026