PT-2026-22703 · Amazon Web Services · Aws-Lc
Joshua Rogers
·
Published
2026-03-02
·
Updated
2026-03-11
·
CVE-2026-3337
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
AWS-LC versions prior to 1.69.0
Description
An observable timing discrepancy in AES-CCM decryption within AWS-LC could allow an unauthenticated user to potentially determine authentication tag validity through timing analysis. The impacted implementations utilize the EVP CIPHER API, specifically
EVP aes 128 ccm, EVP aes 192 ccm, and EVP aes 256 ccm.Recommendations
Upgrade to AWS-LC version 1.69.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws-Lc