Published on March 2, 2026, the disclosure highlights a flaw that allows unauthenticated attackers to bypass certificate chain verification and exploit timing side-channels.
If left unpatched, these vulnerabilities could compromise cryptographic integrity across affected environments.
The newly discovered vulnerabilities primarily target the PKCS7_verify () function in the AWS-LC library.
For CVE-2026-3336, improper certificate validation creates a bypass when the system processes PKCS7 objects containing multiple signers, checking only the final signer.
Similarly, CVE-2026-3338 allows threat actors to bypass signature verification entirely when handling PKCS7 objects that contain Authenticated Attributes.
In addition to the PKCS7 flaws, CVE-2026-3337 introduces a timing side-channel vulnerability during AES-CCM tag verification.
By carefully measuring the time it takes the system to process data during decryption, unauthenticated attackers can analyze the discrepancies to deduce whether an authentication tag is valid.
This weakens the encryption’s overall reliability and exposes sensitive cryptographic operations to external observation.
AWS strongly recommends that all customers upgrade to the latest major versions of AWS-LC immediately.
Affected versions: AWS-LC 1.21.0–<1.69.0, AWS-LC-FIPS 3.0.0–<3.2.0, aws-lc-sys 0.14.0–<0.38.0, and aws-lc-sys-fips 0.13.0–<0.13.12 all now patched.
The AISLE Research Team collaborated with AWS to discover and disclose CVE-2026-3336 and CVE-2026-3337 through a coordinated vulnerability disclosure process.
Currently, there are no known workarounds for the PKCS7_verify bypass vulnerabilities (CVE-2026-3336 and CVE-2026-3338).
Organizations must apply the provided software updates to secure their environments. For the AES-CCM timing flaw (CVE-2026-3337), a temporary workaround exists for specific configurations.
Customers utilizing AES-CCM with specific parameters (M=4, L=2), (M=8, L=2), or (M=16, L=2) can mitigate the issue by routing AES-CCM through the EVP AEAD API.
This requires using the EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and EVP_aead_aes_128_ccm_matter implementations, respectively.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Amazon AWS-LC Vulnerabilities Allows Attackers to Bypass Certificate Chain Verification appeared first on Cyber Security News.
Star Wars Day is upon us, and that means there's a slew of Star Wars…
A new weekend has arrived, and today, you can save big on Dragon Quest VII…
The Devil Wears Prada 2 star Meryl Streep is ready for a break from the…
The new Steam Controller is almost here. It’s set to release Monday, May 4 at…
Night Street Games, the studio founded by Imagine Dragons frontman Dan Reynolds and his brother…
Hi, Swifties. We don’t tend to have a lot in the way of Taylor Swift…
This website uses cookies.