Improper Signature Validation in AWS-LC by Amazon Web Services
CVE-2026-3338

8.7HIGH

Key Information:

Vendor

Aws

Status
Aws-lc
Vendor
CVE Published:
2 March 2026

What is CVE-2026-3338?

A vulnerability in AWS-LC facilitates improper signature verification in the PKCS7_verify() function, enabling unauthorized users to circumvent signature checks when handling PKCS7 objects that contain Authenticated Attributes. This flaw could lead to potential security breaches for applications reliant on the affected library. Users of AWS-LC are encouraged to upgrade to version 1.69.0 to mitigate any associated risks.

Affected Version(s)

AWS-LC 1.41.0 < 1.69.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0
patch
https://github.com/aws/aws-lc/security/advisories/GHSA-jc...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.