Reported

March 19, 2026

Issued

March 20, 2026

Package

aws-lc-sys (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#crl #revocation #bypass

Aliases

• CVE-2026-4428
• GHSA-9f94-5g5w-gf6r

References

• https://aws.amazon.com/security/security-bulletins/2026-010-AWS
• https://github.com/aws/aws-lc-rs/security/advisories/GHSA-9f94-5g5w-gf6r

CVSS Score

7.4 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Patched

• >=0.39.0

Unaffected

• <0.15.0

Description

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.

Advisory available under CC0-1.0 license.