Description
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.

To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
Published: 2026-03-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Certificate Revocation Bypass
Action: Immediate Patch
AI Analysis

Impact

A logic flaw in the CRL distribution point validation routine of AWS‑LC before version 1.71.0 causes partitioned Certificate Revocation Lists to be incorrectly marked as out of scope. This flaw lets a revoked certificate succeed the revocation check, allowing an attacker to use a certificate that should be rejected. The weakness aligns with weaknesses that deny or bypass intended revocation logic and can lead to unauthorized access or man‑in‑the‑middle attacks when the revoked certificate is trusted by a client or server using AWS‑LC for validation.

Affected Systems

The vulnerability impacts the AWS‑LC cryptographic library and its FIPS‑compliant variant AWS‑LC‑FIPS. All installations of these libraries at versions earlier than 1.71.0 for AWS‑LC or 3.3.0 for AWS‑LC‑FIPS are affected.

Risk and Exploitability

The flaw carries a high CVSS score of 9.1 and is deemed unlikely to be widely exploited, with an EPSS score below 1 %. It is not currently listed in the CISA KEV catalog. The primary exploitation pathway would involve an environment that relies on AWS‑LC to validate certificates, wherein an attacker could supply a revoked certificate that is incorrectly accepted, thereby bypassing revocation checks.

Generated by OpenCVE AI on March 21, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AWS‑LC 1.71.0 or AWS‑LC‑FIPS 3.3.0, the versions that contain the fix for the CRL distribution point validation logic error.

Generated by OpenCVE AI on March 21, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws aws-lc
Aws aws-lc-fips
Vendors & Products Aws
Aws aws-lc
Aws aws-lc-fips

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
Title CRL Distribution Point Scope Check Logic Error in AWS-LC
Weaknesses CWE-299
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aws Aws-lc Aws-lc-fips
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-03-25T14:13:42.572Z

Reserved: 2026-03-19T13:42:59.783Z

Link: CVE-2026-4428

cve-icon Vulnrichment

Updated: 2026-03-25T14:13:36.192Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T21:17:14.170

Modified: 2026-03-20T13:39:46.493

Link: CVE-2026-4428

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-19T20:37:53Z

Links: CVE-2026-4428 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:59Z

Weaknesses