PT-2026-22702 · Amazon Web Services · Aws-Lc

Joshua Rogers

·

Publicado

2026-03-02

·

Atualizado

2026-03-11

·

CVE-2026-3336

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions AWS-LC versions prior to 1.69.0
Description A flaw exists in the PKCS7 verify() function within AWS-LC that allows an unauthenticated user to circumvent certificate chain verification when handling PKCS7 objects containing multiple signers, excluding the final signer. This improper certificate validation could potentially allow malicious actors to compromise the integrity of secure communications.
Recommendations Upgrade AWS-LC to version 1.69.0 or later.

Correção

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295

Identificadores relacionados

CVE-2026-3336
GHSA-CFWJ-9WP5-WQVP
GHSA-VW5V-4F2Q-W9XF
RUSTSEC-2026-0046

Produtos afetados

Aws-Lc