CVE-2026-3338

HIGH

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

CVSS v3.1 Score

7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Published: 3/2/2026Modified: 3/11/2026

Related Intelligence (1)

LOWVulnerability

Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

<p><b>Bulletin ID:</b> 2026-005-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 2026/03/02 14:30 PM PST</p> <p><b>Description:</b></p> <p>AWS-LC is an open-source, general-purpose cryptographic library. We identified three distinct issues:</p> <p>- CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC<br> Improper c

CVE-2026-3336CVE-2026-3337
AWS Security Bulletins

References (3)

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/Vendor Advisoryhttps://github.com/aws/aws-lc/releases/tag/v1.69.0Release Noteshttps://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wjVendor Advisory