8.7

CVE-2026-3336

Medienbericht

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AmazonAws-lc-sys SwPlatformrust Version >= 0.24.0 < 0.38.0
AmazonAws Libcrypto Version >= 1.41.0 < 1.69.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.77% 0.51
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ff89ba41-3aa1-4d27-914a-91399e9639e5 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ff89ba41-3aa1-4d27-914a-91399e9639e5 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:20
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
Vendor Advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0
Release Notes
https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:5459
https://access.redhat.com/security/cve/CVE-2026-3336
https://bugzilla.redhat.com/show_bug.cgi?id=2444026
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3336.json