Reported

March 2, 2026

Issued

March 20, 2026

Package

aws-lc-sys (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#pkcs7 #certificate #verification #bypass

Aliases

• CVE-2026-3336
• GHSA-vw5v-4f2q-w9xf

References

• https://aws.amazon.com/security/security-bulletins/2026-005-AWS
• https://github.com/aws/aws-lc-rs/security/advisories/GHSA-vw5v-4f2q-w9xf

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Patched

• >=0.38.0

Unaffected

• <0.24.0

Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

There is no workaround; applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Advisory available under CC0-1.0 license.