CVE-2026-4428

Summary

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.

To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

Affected Software

VendorProductVersion RangeStatus
AWSAWS-LC1.24.0 < 1.71.0affected
AWSAWS-LC-FIPS3.0.0 < 3.3.0affected

Weaknesses

  • CWE-299: CWE-299 Improper check for certificate revocation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References