PT-2026-22702 · Amazon Web Services · Aws-Lc

Joshua Rogers

·

Published

2026-03-02

·

Updated

2026-03-11

·

CVE-2026-3336

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions AWS-LC versions prior to 1.69.0
Description A flaw exists in the PKCS7 verify() function within AWS-LC that allows an unauthenticated user to circumvent certificate chain verification when handling PKCS7 objects containing multiple signers, excluding the final signer. This improper certificate validation could potentially allow malicious actors to compromise the integrity of secure communications.
Recommendations Upgrade AWS-LC to version 1.69.0 or later.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2026-3336
GHSA-CFWJ-9WP5-WQVP
GHSA-VW5V-4F2Q-W9XF
RUSTSEC-2026-0046

Affected Products

Aws-Lc