AWS-LC Cryptographic Library Flaws Expose Certificate and Signature Validation Risks
Amazon has disclosed three critical vulnerabilities in AWS-LC, its open-source cryptographic library, which could allow attackers to bypass certificate and signature validation or exploit timing side-channel leaks. The flaws tracked as CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338 affect AWS-LC, aws-lc-sys, and aws-lc-sys-fips packages used in AWS services and third-party integrations for secure communications.
Key Vulnerabilities and Impact
-
Certificate Chain & Signature Validation Bypasses (CVE-2026-3336, CVE-2026-3338)
- CVE-2026-3336: A flaw in the
PKCS7_verify()function fails to properly validate certificate chains in PKCS7 objects with multiple signers, allowing attackers to bypass validation for all but the final signer. This could enable trust in unverified or malicious certificates. - CVE-2026-3338: Improper handling of Authenticated Attributes in PKCS7 objects permits signature bypass, making tampered or unsigned data appear legitimate. Both vulnerabilities affect AWS-LC v1.41.0–v1.68.x and aws-lc-sys v0.24.0–v0.37.x, risking man-in-the-middle or data tampering attacks in environments relying on digital signatures or certificate validation.
- CVE-2026-3336: A flaw in the
-
Timing Side-Channel in AES-CCM (CVE-2026-3337)
- Subtle timing variations during AES-CCM decryption could leak authentication tag validity, potentially allowing attackers to infer cryptographic state or brute-force tags. This affects AWS-LC v1.21.0–v1.68.x, AWS-LC-FIPS 3.0.0–3.1.x, and corresponding aws-lc-sys modules. While no public exploits exist, successful exploitation could lead to key exposure or message forgery under controlled conditions.
Mitigation and Fixes
Amazon has released patches in:
- AWS-LC v1.69.0
- AWS-LC-FIPS v3.2
- aws-lc-sys v0.38.0
- aws-lc-sys-fips v0.13.12
For CVE-2026-3337, a temporary workaround involves replacing specific AES-CCM configurations (e.g., M=4, L=2) with alternative EVP AEAD API implementations. However, AWS strongly recommends immediate upgrades, as no other mitigations exist for the certificate/signature bypass flaws.
The AISLE Research Team was credited for discovering CVE-2026-3336 and CVE-2026-3337 through coordinated disclosure. Technical details are available via AWS Security Advisories on GitHub and the respective CVE entries.
Source: https://cyberpress.org/amazon-aws-lc-vulnerability/
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "AMA1772792723",
"linkid": "amazon-web-services",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'AWS services and third-party '
'integrations using AWS-LC',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Amazon Web Services (AWS)',
'size': 'Large',
'type': 'Cloud Service Provider'}],
'attack_vector': ['Exploitation of cryptographic library flaws',
'Man-in-the-middle attacks',
'Data tampering'],
'data_breach': {'data_encryption': ['Potential compromise of AES-CCM '
'encryption']},
'description': 'Amazon has disclosed three critical vulnerabilities in '
'AWS-LC, its open-source cryptographic library, which could '
'allow attackers to bypass certificate and signature '
'validation or exploit timing side-channel leaks. The flaws '
'tracked as CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338 '
'affect AWS-LC, aws-lc-sys, and aws-lc-sys-fips packages used '
'in AWS services and third-party integrations for secure '
'communications.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in AWS '
'cryptographic security',
'data_compromised': ['Certificate validation bypass',
'Signature validation bypass',
'Potential cryptographic key exposure'],
'operational_impact': ['Risk of man-in-the-middle attacks',
'Data tampering',
'Potential message forgery'],
'systems_affected': ['AWS-LC v1.41.0–v1.68.x',
'aws-lc-sys v0.24.0–v0.37.x',
'AWS-LC-FIPS 3.0.0–3.1.x',
'aws-lc-sys-fips']},
'post_incident_analysis': {'corrective_actions': ['Patching vulnerabilities '
'in AWS-LC',
'Enhanced validation '
'mechanisms for certificate '
'and signature '
'verification'],
'root_causes': ['Flaws in PKCS7_verify() function',
'Improper handling of '
'Authenticated Attributes in PKCS7 '
'objects',
'Timing variations in AES-CCM '
'decryption']},
'recommendations': ['Immediate upgrade to patched versions of AWS-LC and '
'related packages',
'Review and replace vulnerable AES-CCM configurations if '
'upgrades are not feasible'],
'references': [{'source': 'AWS Security Advisories',
'url': 'https://github.com/aws/aws-lc/security/advisories'},
{'source': 'CVE Entries'}],
'response': {'communication_strategy': ['AWS Security Advisories on GitHub',
'CVE entries'],
'containment_measures': ['Patches released for AWS-LC v1.69.0, '
'AWS-LC-FIPS v3.2, aws-lc-sys v0.38.0, '
'aws-lc-sys-fips v0.13.12'],
'remediation_measures': ['Immediate upgrades to patched versions',
'Replacement of specific AES-CCM '
'configurations as a temporary '
'workaround']},
'title': 'AWS-LC Cryptographic Library Flaws Expose Certificate and Signature '
'Validation Risks',
'type': ['Cryptographic Vulnerability',
'Certificate Validation Bypass',
'Signature Validation Bypass',
'Timing Side-Channel'],
'vulnerability_exploited': ['CVE-2026-3336', 'CVE-2026-3337', 'CVE-2026-3338']}