CVE-2026-4428

Name of the Vulnerable Software and Affected Versions AWS-LC versions prior to 1.71.0 aws-lc-sys versions 0.15.0 through 0.39.0 aws-lc-fips-sys versions 0.13.0 through 0.13.13

Description A logic error in CRL distribution point validation in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions. Customers of AWS services do not require action. The issue affects applications using aws-lc-sys and aws-lc-fips-sys.

Recommendations Upgrade AWS-LC to version 1.71.0 or later. Upgrade aws-lc-sys to the most recent release. Upgrade aws-lc-fips-sys to the most recent release. As a workaround, disable CRL checking (X509 V FLAG CRL CHECK). As a workaround, use complete (non-partitioned) CRLs without IDP extensions.