CVE-2026-3336

Summary

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Affected Software

VendorProductVersion RangeStatus
AWSAWS-LC1.41.0 < 1.69.0affected

Weaknesses

  • CWE-295: CWE-295 (Improper Certificate Validation)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

aws-lc: aws-lc: Certificate validation bypass via improper handling of PKCS7 objects

Additional References

References