CVE-2026-3336 - Vulnerability Details

- PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Published: 2026-03-02

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PKCS7_verify() performs certificate chain validation when processing PKCS7 objects. In AWS‑LC, the implementation allows an unauthenticated user to bypass the verification for all but the final signer, effectively disabling the check for intermediate certificates. This flaw can be exploited by supplying a crafted PKCS7 object that is accepted as valid, allowing an attacker to create a trusted‑looking certificate chain, which is inferred from the description although not explicitly stated.

Affected Systems

Amazon Web Services (AWS) does not need to take action. Applications that link directly against the AWS‑LC library, such as custom cryptographic tools or services that perform PKCS7 processing, are vulnerable if they use any AWS‑LC version earlier than 1.69.0. The vulnerability is confined to the library; it does not affect customers who rely solely on AWS cloud services.

Risk and Exploitability

The CVSS base score of 8.7 marks this a high‑severity vulnerability. With an EPSS below 1% the likelihood of exploitation is low, and it is not listed in the CISA KEV catalog. The attack vector is external and does not require privileged access. Based on the description, it is inferred that an attacker could forge certificate chains, potentially leading to authentication bypass or other malicious activity in any system that accepts the forged PKCS7 objects.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AWS

AWS-LC

unaffected

Version	Status	Constraints
`1.41.0`	affected	< 1.69.0

Configuration 1 [-]

OR	cpe:2.3:a:amazon:aws-lc-sys::::::rust::*
	cpe:2.3:a:amazon:aws_libcrypto::::::::

No data.

Vendor Product Confidence Versions

Aws

Aws-lc

100%

Version	Status	Scheme	Platform
`[1.41.0,1.69.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade your application to use AWS‑LC version 1.69.0 or later, which fixes the verification logic.
Rebuild all linked binaries to ensure they reference the updated AWS‑LC library.
Verify that PKCS7 verification behaves correctly by executing targeted tests against known bad and good PKCS7 objects.

Generated by OpenCVE AI on April 17, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
https://github.com/aws/aws-lc/releases/tag/v1.69.0
https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
https://nvd.nist.gov/vuln/detail/CVE-2026-3336
https://www.cve.org/CVERecord?id=CVE-2026-3336

History

Wed, 11 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon aws-lc-sys Amazon aws Libcrypto
CPEs	cpe:2.3:a:aws:aws_libcrypto::::::::	cpe:2.3:a:amazon:aws-lc-sys::::::rust::* cpe:2.3:a:amazon:aws_libcrypto::::::::
Vendors & Products	Aws aws Libcrypto	Amazon Amazon aws-lc-sys Amazon aws Libcrypto

Mon, 09 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws aws Libcrypto
CPEs		cpe:2.3:a:aws:aws_libcrypto::::::::
Vendors & Products		Aws aws Libcrypto

Wed, 04 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws Aws aws-lc
Vendors & Products		Aws Aws aws-lc

Wed, 04 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3336 https://www.cve.org/CVERecord?id=CVE-2026-3336
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 03 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp

Mon, 02 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/aws/aws-lc/releases/tag/v1.69.0

Mon, 02 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Title		PKCS7_verify Certificate Chain Validation Bypass in AWS-LC
Weaknesses		CWE-295
References		https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Amazon Aws-lc-sys Aws Libcrypto

Aws Aws-lc

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-03-02T21:15:16.709Z

Updated: 2026-03-03T20:05:26.157Z

Reserved: 2026-02-27T15:16:27.359Z

Link: CVE-2026-3336

Vulnrichment

Updated: 2026-03-03T20:05:23.006Z

NVD

Status : Analyzed

Published: 2026-03-02T22:16:31.277

Modified: 2026-03-11T17:16:00.823

Link: CVE-2026-3336

Redhat

Severity : Important

Publid Date: 2026-03-02T21:15:16Z

Links: CVE-2026-3336 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses

CWE-295

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object