CVE-2026-3337Observable Timing Discrepancy in Aws-lc

CWE-208Observable Timing Discrepancy6 documents4 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 88.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
AWS Aws-lcAWS Aws-lc-fipsAmazon Aws-lc-fips-sys+2 more
Timeline
PublishedMar 2
Latest updateMar 3

Description

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

CVEListV5aws/aws-lc1.21.01.69.0
CVEListV5aws/aws-lc-fips3.0.03.2.0
NVDamazon/aws-lc-sys0.14.00.38.0
crates.ioamazon/aws-lc-sys0.14.00.38.0
NVDamazon/aws_libcrypto1.21.01.69.0+1

🔴Vulnerability Details

3
OSV
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification2026-03-03
OSV
Timing Side-Channel in AES-CCM Tag Verification in AWS-LC2026-03-02
OSV
Timing Side-Channel in AES-CCM Tag Verification in AWS-LC2026-03-02

📋Vendor Advisories

1
Red Hat
aws-lc: AWS-LC: Information disclosure via timing discrepancy in AES-CCM decryption2026-03-02

🕵️Threat Intelligence

1
Wiz
CVE-2026-3337 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-3337 — Observable Timing Discrepancy in Aws-lc | cvebase