Reported

March 2, 2026

Issued

March 20, 2026

Package

aws-lc-sys (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#pkcs7 #signature-verification #bypass

Aliases

• CVE-2026-3338
• GHSA-hfpc-8r3f-gw53

References

• https://aws.amazon.com/security/security-bulletins/2026-005-AWS
• https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw53

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Patched

• >=0.38.0

Unaffected

• <0.24.0

Description

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

There is no workaround; applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Advisory available under CC0-1.0 license.