CVE-2026-3338Improper Verification of Cryptographic Signature in Aws-lc

CWE-347Improper Verification of Cryptographic Signature35 documents7 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 97.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
AWS Aws-lcAmazon Aws-lc-sysAmazon AWS Libcrypto+3 more
Timeline
PublishedMar 2
Latest updateMar 10

Description

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

CVEListV5aws/aws-lc1.41.01.69.0
NVDamazon/aws-lc-sys0.24.00.38.0
crates.ioamazon/aws-lc-sys0.24.00.38.0
NVDamazon/aws_libcrypto1.41.01.69.0

🔴Vulnerability Details

2
OSV
AWS-LC has PKCS7_verify Signature Validation Bypass2026-03-03
OSV
PKCS7_verify Signature Validation Bypass in AWS-LC2026-03-02

📋Vendor Advisories

2
Microsoft
PKCS7_verify Signature Validation Bypass in AWS-LC2026-03-10
Red Hat
aws-lc: AWS-LC: Signature bypass due to improper validation in PKCS7_verify()2026-03-02

🕵️Threat Intelligence

2
Bleepingcomputer
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws2026-03-10
Wiz
CVE-2026-3338 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

6
Bugzilla
CVE-2026-2775 firefox: thunderbird: Mitigation bypass in the DOM: HTML Parser component2026-02-24
Bugzilla
CVE-2026-2764 firefox: thunderbird: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component2026-02-24
Bugzilla
CVE-2026-2787 firefox: thunderbird: Use-after-free in the DOM: Window and Location component2026-02-24
Bugzilla
CVE-2026-2768 firefox: thunderbird: Sandbox escape in the Storage: IndexedDB component2026-02-24
Bugzilla
CVE-2026-2793 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 1482026-02-24
CVE-2026-3338 — AWS Aws-lc vulnerability | cvebase