Amazon issued a critical security bulletin (2026-005-AWS) detailing three high-severity vulnerabilities in AWS-LC, its open-source cryptographic library.
Discovered through a coordinated disclosure process with the AISLE Research Team, these flaws pose a serious risk to cloud infrastructure.
Developers rely heavily on AWS-LC as a general-purpose library to secure digital communications.
Because of this widespread use, these newly discovered vulnerabilities could allow unauthenticated attackers to bypass essential certificate validations and exploit system timing discrepancies to compromise secure data.
Vulnerability Breakdown
Security researchers identified three distinct issues affecting how AWS-LC handles cryptographic processes.
The most pressing concerns involve the PKCS7_verify() function, which is responsible for validating digital certificates and signatures.
- CVE-2026-3336: This certificate chain validation bypass occurs when processing PKCS7 objects with multiple signers. An unauthenticated user can exploit this improper validation to bypass chain verification for all but the final signer in the sequence.
- CVE-2026-3337: This flaw introduces an observable timing side-channel during AES-CCM decryption. By analyzing the tiny delays in processing time, an unauthenticated attacker can potentially determine whether an authentication tag is valid, which compromises the integrity of the encryption.
- CVE-2026-3338: Similar to the first flaw, this vulnerability involves improper signature validation in the
PKCS7_verify()function. It allows unauthenticated users to completely bypass signature verification when processing PKCS7 objects that contain Authenticated Attributes.
Amazon strongly recommends that all customers upgrade to the latest major versions of AWS-LC to secure their environments.
The vulnerabilities impact multiple versions of the library and its associated system packages.
Specifically, the PKCS7 flaws affect AWS-LC versions between v1.41.0 and v1.69.0, as well as aws-lc-sys versions between v0.24.0 and v0.38.0.
The timing side-channel flaw has a broader reach, affecting AWS-LC starting from v1.21.0, and including FIPS versions like AWS-LC-FIPS 3.0.0 through 3.2.0.
To resolve these security gaps, Amazon addressed the PKCS7 bypass vulnerabilities in AWS-LC v1.69.0 and aws-lc-sys v0.38.0.
They also patched the timing side-channel flaw across AWS-LC v1.69.0, AWS-LC-FIPS-3.2.0, aws-lc-sys v0.38.0, and aws-lc-sys-fips v0.13.12.
Unfortunately, there are no known workarounds for the certificate and signature validation bypasses, making immediate patching the only way to secure your systems.
However, administrators do have a temporary mitigation option for the timing side-channel vulnerability.
If you use AES-CCM with specific parameters, such as (M=4,L=2), (M=8,L=2), or (M=16,L=2), you can route your encryption through the EVP AEAD API.
By implementing specific configurations like EVP_aead_aes_128_ccm_bluetooth or EVP_aead_aes_128_ccm_matter, security teams can protect their operations until they can deploy the official patches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
