Timing Discrepancy Vulnerability in AWS-LC Affecting AES-CCM Decryption
CVE-2026-3337

8.2HIGH

Key Information:

Vendor

Aws

Status
Aws-lc
Aws-lc-fips
Vendor
CVE Published:
2 March 2026

What is CVE-2026-3337?

A timing discrepancy in the AES-CCM decryption process of the AWS-LC library could allow an unauthenticated attacker to infer the validity of authentication tags through timing analysis. This vulnerability arises from the implementation of the EVP_CIPHER API, notably affecting the EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm functions. Although users of AWS services are not required to take immediate action, it is strongly recommended for applications utilizing AWS-LC to upgrade to version 1.69.0 to mitigate any potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

AWS-LC 1.21.0 < 1.69.0

AWS-LC-FIPS 3.0.0 < 3.2.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0
patch
https://github.com/aws/aws-lc/security/advisories/GHSA-fr...
third-party-advisory

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.