Amazon AWS-LC Vulnerability Allows Attackers to Bypass Certificate Chain Verification - cyberpress.org

Amazon AWS-LC Vulnerability Allows Attackers to Bypass Certificate Chain Verification By AnuPriya March 6, 2026 Categories: Cyber Security NewsCybersecurityVulnerability Amazon has disclosed multiple critical vulnerabilities in AWS-LC, its open-source general-purpose cryptographic library. The issues tracked as CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338 can allow attackers to bypass certificate and signature validations or exploit timing side-channel leaks. These flaws impact AWS-LC, aws-lc-sysand aws-lc-sys-fips packages used in various AWS services and third-party integrations for secure communications. Certificate Chain and Signature Validation Bypass Two of the identified flaws, CVE-2026-3336 and CVE-2026-3338, stem from improper certificate and signature validation within the PKCS7_verify() function of AWS-LC. CVE-2026-3336 – PKCS7_verify Certificate Chain Validation Bypass: In vulnerable builds, the PKCS7_verify() The routine fails to properly validate certificate chains when processing PKCS7 objects with multiple signers. Except for the final signer, earlier certificates in the chain may not be effectively verified. This loophole enables unauthenticated users to bypass certificate validation, potentially trusting unverified certificates or malicious signers. CVE-2026-3338 – PKCS7_verify Signature Validation Bypass: This flaw occurs due to improper handling of Authenticated Attributes in PKCS7 objects. Attackers can exploit it to bypass signature checks, allowing tampered or unsigned data to appear authentic. Such attacks can undermine the integrity of cryptographic signature verification, posing risks to applications relying on AWS-LC for secure content validation. Both validation bypass issues affect AWS-LC versions v1.41.0 through v1.68.x and aws-lc-sys versions v0.24.0 through v0.37.x. These vulnerabilities can be exploited in any environment performing digital signature or certificate-based validations, potentially leading to man-in-the-middle or data tampering attacks. The third vulnerability, CVE-2026-3337, concerns a timing side-channel flaw in AES-CCM tag verification. During AES-CCM decryption, subtle timing variations can reveal whether an authentication tag is valid. An attacker capable of measuring such variations could infer cryptographic state information or brute-force authentication tags more efficiently. This issue affects AWS-LC versions v1.21.0 through v1.68.x, AWS-LC-FIPS 3.0.0 through 3.1.x, and the corresponding aws-lc-sys and aws-lc-sys-fips modules. While no public exploits are reported, the issue could potentially lead to cryptographic key exposure or message forgery if exploited under laboratory conditions. As a temporary workaround, Amazon suggests specific AES-CCM usage combinations such as (M=4, L=2), (M=8, L=2), or (M=16, L=2) be replaced using the EVP AEAD API implementations: EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, or EVP_aead_aes_128_ccm_matter. However, AWS strongly recommends upgrading immediately instead of relying on these alternatives. All three vulnerabilities have been addressed in AWS-LC v1.69.0, AWS-LC-FIPS v3.2, aws-lc-sys v0.38.0, and aws-lc-sys-fips v0.13.12. Amazon has urged users and developers integrating AWS-LC into their cryptographic workflows to update to these fixed versions as soon as possible, as no other mitigations exist for the certificate or signature bypass vulnerabilities. The AISLE Research Team was credited for identifying and responsibly disclosing CVE-2026-3336 and CVE-2026-3337 through coordinated vulnerability disclosure. Additional advisory details and technical notes are available via the AWS Security Advisories on GitHub and official CVE entries for each issue: CVE-2026-3336 CVE-2026-3337 CVE-2026-3338 Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles France Confirms Data Breach After Hackers Claim Massive Data Leak Cyber Security News April 22, 2026 Jasper Sleet Posed As Fake IT Workers To Infiltrate Cloud Systems, Microsoft Says Cyber Security News April 22, 2026 Microsoft Releases Emergency .NET 10.0.7 Update to Fix Critical Privilege Escalation Flaw Cyber Security News April 22, 2026 Unauthorized Group Gains Access to Anthropic’s Exclusive Cyber Tool Mythos Cyber Security News April 22, 2026 Attackers Use Microsoft-Signed Binary To Deploy LOTUSLITE In India-Focused Cyber Campaign Cyber Security News April 22, 2026 Related Stories Cyber Security News France Confirms Data Breach After Hackers Claim Massive Data Leak AnuPriya - April 22, 2026 Cyber Security News Jasper Sleet Posed As Fake IT Workers To Infiltrate Cloud Systems, Microsoft Says Varshini - April 22, 2026 Cyber Security News Microsoft Releases Emergency .NET 10.0.7 Update to Fix Critical Privilege Escalation Flaw AnuPriya - April 22, 2026 Cyber Security News Unauthorized Group Gains Access to Anthropic’s Exclusive Cyber Tool Mythos AnuPriya - April 22, 2026 Cyber Security News Attackers Use Microsoft-Signed Binary To Deploy LOTUSLITE In India-Focused Cyber Campaign Varshini - April 22, 2026 Cyber Security News Gentlemen RaaS Adds C-Based ESXi Locker To Cross-Platform Attacks Varshini - April 22, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: