CVE-2026-3336 — Improper Certificate Validation in Aws-lc

CWE-295 — Improper Certificate Validation9 documents6 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 97.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

AWS Aws-lc Amazon Aws-lc-sys Amazon AWS Libcrypto +3 more

Timeline

PublishedMar 2

Latest updateMar 10

Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

▶CVEListV5aws/aws-lc1.41.0 — 1.69.0

▶NVDamazon/aws-lc-sys0.24.0 — 0.38.0

▶crates.ioamazon/aws-lc-sys0.24.0 — 0.38.0

▶NVDamazon/aws_libcrypto1.41.0 — 1.69.0

▶msrcmsrc/azl3_grpc_1.62.3-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

AWS-LC has PKCS7_verify Certificate Chain Validation Bypass↗2026-03-03

▶

OSV

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC↗2026-03-02

▶

📋Vendor Advisories

Microsoft

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC↗2026-03-10

▶

Red Hat

aws-lc: aws-lc: Certificate validation bypass via improper handling of PKCS7 objects↗2026-03-02

▶

Red Hat

kernel: platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names↗2026-02-14

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws↗2026-03-10

▶

Wiz

CVE-2026-3336 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶