CVE-2026-3336
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AWS | AWS-LC | 1.41.0 < 1.69.0 | affected |
Weaknesses
- CWE-295: CWE-295 (Improper Certificate Validation)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
aws-lc: aws-lc: Certificate validation bypass via improper handling of PKCS7 objects
Additional References
- https://access.redhat.com/security/cve/CVE-2026-3336
- https://bugzilla.redhat.com/show_bug.cgi?id=2444026
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3336.json
- https://access.redhat.com/errata/RHSA-2026:5459
References
- https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
- https://github.com/aws/aws-lc/releases/tag/v1.69.0
- https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.