CVE-2026-3337

Summary

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Affected Software

VendorProductVersion RangeStatus
AWSAWS-LC1.21.0 < 1.69.0affected
AWSAWS-LC-FIPS3.0.0 < 3.2.0affected

Weaknesses

  • CWE-208: CWE-208 (Observable Timing Discrepancy)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References