8.7

CVE-2026-3338

Medienbericht

PKCS7_verify Signature Validation Bypass in AWS-LC

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.



Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AmazonAws-lc-sys SwPlatformrust Version >= 0.24.0 < 0.38.0
AmazonAws Libcrypto Version >= 1.41.0 < 1.69.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.78% 0.513
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ff89ba41-3aa1-4d27-914a-91399e9639e5 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ff89ba41-3aa1-4d27-914a-91399e9639e5 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:20
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/
Vendor Advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0
Release Notes
https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:5459
https://access.redhat.com/security/cve/CVE-2026-3338
https://bugzilla.redhat.com/show_bug.cgi?id=2444025
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3338.json