CVE-2026-3338 - Vulnerability Details

- PKCS7_verify Signature Validation Bypass in AWS-LC

Description

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Published: 2026-03-02

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper signature validation in PKCS7_verify() in AWS‑LC allows an unauthenticated user to bypass verification when processing PKCS7 objects that contain authenticated attributes. This flaw means that forged signatures can be accepted as valid, potentially enabling an attacker to impersonate legitimate signers or perform unauthorized operations that rely on signature authenticity and integrity.

Affected Systems

The vulnerability exists in the AWS‑LC library from Amazon Web Services. The advisory does not specify all affected version ranges, but customers using legacy AWS‑LC binaries should upgrade to at least version 1.69.0, which includes the fix. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is reported as less than 1 %, suggesting that exploitation is considered unlikely at the time of analysis. The flaw is not listed in CISA’s KEV catalog. The attack vector is not explicitly stated in the advisory; it is inferred that an attacker would need to supply a crafted PKCS7 object to a vulnerable application that uses AWS‑LC's PKCS7_verify function, thus the vulnerability can be exploited remotely or locally depending on how the library is accessed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AWS

AWS-LC

unaffected

Version	Status	Constraints
`1.41.0`	affected	< 1.69.0

Configuration 1 [-]

OR	cpe:2.3:a:amazon:aws-lc-sys::::::rust::*
	cpe:2.3:a:amazon:aws_libcrypto::::::::

No data.

Vendor Product Confidence Versions

Aws

Aws-lc

100%

Version	Status	Scheme	Platform
`[1.41.0,1.69.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AWS‑LC to version 1.69.0 or later.
If an immediate upgrade is not possible, review application code to ensure that PKCS7_verify is only called with trusted data and avoid processing authenticated attribute PKCS7 objects from untrusted sources.
Add a defensive wrapper around PKCS7_verify that performs strict validation of the PKCS7 structure and authenticated attributes before invocation, rejecting any object that does not conform.

Generated by OpenCVE AI on April 17, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
https://github.com/aws/aws-lc/releases/tag/v1.69.0
https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj
https://nvd.nist.gov/vuln/detail/CVE-2026-3338
https://www.cve.org/CVERecord?id=CVE-2026-3338

History

Wed, 11 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon aws-lc-sys Amazon aws Libcrypto
CPEs	cpe:2.3:a:aws:aws_libcrypto::::::::	cpe:2.3:a:amazon:aws-lc-sys::::::rust::* cpe:2.3:a:amazon:aws_libcrypto::::::::
Vendors & Products	Aws aws Libcrypto	Amazon Amazon aws-lc-sys Amazon aws Libcrypto

Wed, 11 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws aws Libcrypto
CPEs		cpe:2.3:a:aws:aws_libcrypto::::::::
Vendors & Products		Aws aws Libcrypto

Wed, 04 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aws Aws aws-lc
Vendors & Products		Aws Aws aws-lc

Wed, 04 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3338 https://www.cve.org/CVERecord?id=CVE-2026-3338
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 03 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj

Mon, 02 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Title		PKCS7_verify Signature Validation Bypass in AWS-LC
Weaknesses		CWE-347
References		https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ https://github.com/aws/aws-lc/releases/tag/v1.69.0
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Amazon Aws-lc-sys Aws Libcrypto

Aws Aws-lc

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-03-02T21:22:41.954Z

Updated: 2026-03-03T14:39:48.768Z

Reserved: 2026-02-27T15:16:29.281Z

Link: CVE-2026-3338

Vulnrichment

Updated: 2026-03-03T14:39:43.993Z

NVD

Status : Analyzed

Published: 2026-03-02T22:16:32.350

Modified: 2026-03-11T16:54:59.103

Link: CVE-2026-3338

Redhat

Severity : Important

Publid Date: 2026-03-02T21:22:41Z

Links: CVE-2026-3338 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses

CWE-347

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object