{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4428", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-03-19T13:42:59.783Z", "datePublished": "2026-03-19T20:37:53.851Z", "dateUpdated": "2026-03-19T20:40:06.587Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-03-19T20:40:06.587Z"}, "title": "CRL Distribution Point Scope Check Logic Error in AWS-LC", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-299", "description": "CWE-299 Improper check for certificate revocation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "affected": [{"vendor": "AWS", "product": "AWS-LC", "versions": [{"status": "affected", "version": "1.24.0", "lessThan": "1.71.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "AWS-LC-FIPS", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.3.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.\n\nTo remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.<br><br>To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.</p>"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-010-AWS/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/aws/aws-lc/releases/tag/v1.71.0", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.\n\nTo remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0."}], "id": "CVE-2026-4428", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-03-19T21:17:14.170", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "url": "https://aws.amazon.com/security/security-bulletins/2026-010-AWS/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "url": "https://github.com/aws/aws-lc/releases/tag/v1.71.0"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-299"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.24.0,1.71.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "AWS-LC", "source": "cna", "vendor": "AWS"}, "product": "aws-lc", "vendor": "aws"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.3.0)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 85.0, "source": "matching"}]}, "original": {"product": "AWS-LC-FIPS", "source": "cna", "vendor": "AWS"}, "product": "aws-lc-fips", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-03-19T22:51:57.414739+00:00", "value": {"mitigation_remediation": ["Upgrade to AWS\u2011LC 1.71.0 or AWS\u2011LC\u2011FIPS\u20113.3.0"], "summary": {"action": "Apply Patch", "impact": "Certificate Revocation Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects AWS:AWS-LC and AWS:AWS-LC\u2011FIPS. All versions prior to AWS\u2011LC 1.71.0 and any pre\u20113.3.0 releases of AWS\u2011LC\u2011FIPS are impacted. Upgrading to the specified versions eliminates the flaw, as noted in the vendor advisory.", "description_and_impact": "A logic error in the CRL distribution point validation within AWS\u2011LC causes partitioned CRLs to be incorrectly rejected as out of scope. This flaw allows a revoked certificate to bypass certificate revocation checks, compromising the integrity of applications that rely on revocation verification. The weakness is a scope validation error, classified as CWE\u2011299, which directly undermines the authentication assurance of the affected systems.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity, and the EPSS score is not available, while the vulnerability is not listed in the KEV catalog. Based on the description, it is inferred that an attacker could supply a revoked certificate\u2014potentially via network interception or compromised certificate authority\u2014to an application that uses AWS\u2011LC for validation. This could enable impersonation or unauthorized access, representing a significant risk to systems that depend on accurate revocation checking."}}}}, "created": "2026-03-20T08:56:11.590928+00:00", "updated": "2026-03-20T11:06:21.659645+00:00", "vendors": ["aws", "aws$PRODUCT$aws-lc", "aws$PRODUCT$aws-lc-fips"]}