Amazon AWS-LC Vulnerability Allows Attackers to Bypass Certificate Chain Verification

Amazon has disclosed multiple critical vulnerabilities in AWS-LC, its open-source general-purpose cryptographic library.

The issues tracked as CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338 can allow attackers to bypass certificate and signature validations or exploit timing side-channel leaks.

These flaws impact AWS-LC, aws-lc-sysand aws-lc-sys-fips packages used in various AWS services and third-party integrations for secure communications.

Certificate Chain and Signature Validation Bypass

Two of the identified flaws, CVE-2026-3336 and CVE-2026-3338, stem from improper certificate and signature validation within the PKCS7_verify() function of AWS-LC.

• CVE-2026-3336 – PKCS7_verify Certificate Chain Validation Bypass:
  In vulnerable builds, the PKCS7_verify() The routine fails to properly validate certificate chains when processing PKCS7 objects with multiple signers.
• Except for the final signer, earlier certificates in the chain may not be effectively verified. This loophole enables unauthenticated users to bypass certificate validation, potentially trusting unverified certificates or malicious signers.
• CVE-2026-3338 – PKCS7_verify Signature Validation Bypass:
  This flaw occurs due to improper handling of Authenticated Attributes in PKCS7 objects. Attackers can exploit it to bypass signature checks, allowing tampered or unsigned data to appear authentic.
• Such attacks can undermine the integrity of cryptographic signature verification, posing risks to applications relying on AWS-LC for secure content validation.

Both validation bypass issues affect AWS-LC versions v1.41.0 through v1.68.x and aws-lc-sys versions v0.24.0 through v0.37.x.

These vulnerabilities can be exploited in any environment performing digital signature or certificate-based validations, potentially leading to man-in-the-middle or data tampering attacks.

The third vulnerability, CVE-2026-3337, concerns a timing side-channel flaw in AES-CCM tag verification.

During AES-CCM decryption, subtle timing variations can reveal whether an authentication tag is valid.

An attacker capable of measuring such variations could infer cryptographic state information or brute-force authentication tags more efficiently.

This issue affects AWS-LC versions v1.21.0 through v1.68.x, AWS-LC-FIPS 3.0.0 through 3.1.x, and the corresponding aws-lc-sys and aws-lc-sys-fips modules.

While no public exploits are reported, the issue could potentially lead to cryptographic key exposure or message forgery if exploited under laboratory conditions.

As a temporary workaround, Amazon suggests specific AES-CCM usage combinations such as (M=4, L=2), (M=8, L=2), or (M=16, L=2) be replaced using the EVP AEAD API implementations: EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, or EVP_aead_aes_128_ccm_matter. However, AWS strongly recommends upgrading immediately instead of relying on these alternatives.

All three vulnerabilities have been addressed in AWS-LC v1.69.0, AWS-LC-FIPS v3.2, aws-lc-sys v0.38.0, and aws-lc-sys-fips v0.13.12.

Amazon has urged users and developers integrating AWS-LC into their cryptographic workflows to update to these fixed versions as soon as possible, as no other mitigations exist for the certificate or signature bypass vulnerabilities.

The AISLE Research Team was credited for identifying and responsibly disclosing CVE-2026-3336 and CVE-2026-3337 through coordinated vulnerability disclosure.

Additional advisory details and technical notes are available via the AWS Security Advisories on GitHub and official CVE entries for each issue:

• CVE-2026-3336
• CVE-2026-3337
• CVE-2026-3338

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Amazon AWS-LC Vulnerability Allows Attackers to Bypass Certificate Chain Verification appeared first on Cyber Security News.