CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error

unknownCVE-2026-4428
Bulletin ID: 2026-010-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/19 13:30 PM PDT Description: AWS-LC is a general-purpose cryptographic library maintained by AWS. We identified CVE-2026-4428 affecting X.509 certificate verification. A logic error in the CRL (Certificate Revocation List) distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions. Applications that do not enable CRL checking (X509_V_FLAG_CRL_CHECK) are not affected. Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected. Impacted versions: - CRL Distribution Point Scope Check Logic Error in AWS-LC >= v1.24.0, < v1.71.0 - CRL Distribution Point Scope Check Logic Error in AWS-LC-FIPS >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.3.0 - CRL Distribution Point Scope Check Logic Error in aws-lc-sys >= v0.15.0, < v0.39.0 - CRL Distribution Point Scope Check Logic Error in aws-lc-fips-sys >= v0.13.0, < v0.13.13 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

vendor: Amazonproduct: AWS-LCOtheraffected: >= v1.24.0, < v1.71.0
What
A logic error allows a revoked certificate to bypass revocation checks during validation.
Who is affected
Applications using AWS-LC with CRL checking enabled.
Urgency
Remediation is important as it affects certificate validation integrity.
Action
Update to a version of AWS-LC outside the affected range.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch AWS-LC

Get an email when a new AWS-LC advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-010-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-4428coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins