CVE-2026-3337

Published: Mar 2, 2026Modified: Mar 11, 2026

8.2

Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5 (Secondary)

Description

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Affected (4)

Products: Amazon: Aws Lc Fips Sys, Aws Lc Sys, Aws Libcrypto

3 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Amazon Aws Lc Fips Sys	From 0.13.0 to 0.13.12
Amazon Aws Lc Sys	From 0.14.0 to 0.38.0
Amazon Aws Libcrypto	From 1.21.0 to 1.69.0
Amazon Aws Libcrypto	From 3.0.0 to 3.2.0

Related CWEs

CWE-208

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (3)

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Vendor Advisory

https://github.com/aws/aws-lc/releases/tag/v1.69.0

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Release Notes

https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh

Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Vendor Advisory

Timeline

No history available yet.