Reported

March 2, 2026

Issued

March 20, 2026

Package

aws-lc-sys (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#aes-ccm #timing #side-channel

Aliases

• CVE-2026-3337
• GHSA-65p9-r9h6-22vj

References

• https://aws.amazon.com/security/security-bulletins/2026-005-AWS
• https://github.com/aws/aws-lc-rs/security/advisories/GHSA-65p9-r9h6-22vj

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Patched

• >=0.38.0

Unaffected

• <0.14.0

Description

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

In the special cases of using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2), applications can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and EVP_aead_aes_128_ccm_matter respectively.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent release.

Advisory available under CC0-1.0 license.