CVE-2026-3336
8.7
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow more
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5 (Secondary)
Description
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Affected (2)
Products: Amazon: Aws Lc Sys, Aws Libcrypto
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 0.24.0 to 0.38.0 | |
| From 1.41.0 to 1.69.0 |
References (3)
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Vendor Advisory
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Release Notes
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Vendor Advisory
Timeline
No history available yet.