Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)
Bulletin ID: 2026-005-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/02 14:30 PM PST Description: AWS-LC is an open-source, general-purpose cryptographic library. We identified three distinct issues: - CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. - CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. - CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Impacted versions: - PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, < v1.69.0 - PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0, < v0.38.0 - Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, < v1.69.0 - Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.2.0 - Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, < v0.38.0 - Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >= v0.13.0, < v0.13.12 - PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, < v1.69.0 - PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, < v0.38.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- Multiple vulnerabilities allow unauthenticated users to bypass certificate validation and exploit timing discrepancies.
- Who is affected
- Users of the AWS-LC cryptographic library.
- Urgency
- Remediation is urgent due to the potential for exploitation of cryptographic weaknesses.
- Action
- Update to the latest version of AWS-LC.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch AWS-LC
Get an email when a new AWS-LC advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-005-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-33360.77% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 51% of all scored CVEs.
- Moderate exploitation riskCVE-2026-33371.1% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 61% of all scored CVEs.
- Low exploitation riskCVE-2026-33380.78% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 52% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-3336 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-3337 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-3338 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Issue with AWS-LC
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Erroraws · 2026-06-05
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01