CVE-2026-3336 PUBLISHED

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Assigner: AMZN
Reserved: 27.02.2026 Published: 02.03.2026 Updated: 02.03.2026

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor AWS
Product AWS-LC
Versions Default: unaffected
  • affected from 1.41.0 to 1.69.0 (excl.)

References

Problem Types

  • CWE-295 (Improper Certificate Validation) CWE

Impacts

  • CAPEC-459 (Creating a Rogue Certification Authority Certificate)