CVE-2026-4428 PUBLISHED

CRL Distribution Point Scope Check Logic Error in AWS-LC

Assigner: AMZN
Reserved: 19.03.2026 Published: 19.03.2026 Updated: 19.03.2026

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.

To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.1

Product Status

Vendor AWS
Product AWS-LC
Versions Default: unaffected
  • affected from 1.24.0 to 1.71.0 (excl.)
Vendor AWS
Product AWS-LC-FIPS
Versions Default: unaffected
  • affected from 3.0.0 to 3.3.0 (excl.)

References

Problem Types

  • CWE-299 Improper check for certificate revocation CWE

Impacts

  • CAPEC-94 Adversary in the Middle (AiTM)