Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

Posted on: Mar 2, 2026

Bulletin ID: 2026-005-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 03/02/2026 13:15 PM PST
 

We identified following CVEs:

• CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC
• CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC
• CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC

Description:

AWS-LC is an open-source, general-purpose cryptographic library. We identified three distinct issues:

• CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC
  Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
  
  
• CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC
  Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
  
  
• CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC
  Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Affected versions:

• PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, < v1.69.0
• PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0, < v0.38.0
• Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, < v1.69.0
• Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.2.0
• Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, < v0.38.0
• Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >= v0.13.0, < v0.13.12
• PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, < v1.69.0
• PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, < v0.38.0
  

Resolution:

PKCS7_verify Certificate Chain Validation Bypass and PKCS7_verify Signature Validation Bypass has been addressed in AWS-LC v1.69.0 and aws-lc-sys v0.38.0. Timing Side-Channel in AES-CCM Tag Verification has been addressed in AWS-LC v1.69.0, AWS-LC-FIPS-3.2.0, aws-lc-sys v0.38.0, and aws-lc-sys-fips v0.13.12. PKCS7_verify Signature Validation bypass in AWS-LC has been addressed in AWS-LC v1.69.0 and aws-lc-sys v0.38.0.

Workarounds:

There are no known workarounds for CVE-2026-3336 and CVE-2026-3338.

For CVE-2026-3337, customers using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2) can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and, EVP_aead_aes_128_ccm_matter respectively. Otherwise, there is no known workaround. We recommended customers to upgrade to the latest major versions of AWS-LC.

References:

• CVE-2026-3336
• CVE-2026-3337
• CVE-2026-3338
• GHSA-cfwj-9wp5-wqvp
  
• GHSA-frmv-5gcm-jwxh
• GHSA-jchq-39cv-q4wj
• GHSA-vw5v-4f2q-w9xf
• GHSA-65p9-r9h6-22vj
• GHSA-hfpc-8r3f-gw53

Acknowledgement:

We would like to thank the AISLE Research Team for collaborating on issues CVE-2026-3336 and CVE-2026-3337 through the coordinated vulnerability disclosure process.
 

Please email aws-security@amazon.com with any security questions or concerns.