AWS-LC Flaws Could Bypass Certificate Verification

Amazon AWS has disclosed several vulnerabilities in AWS-LC, its open-source cryptographic library. 

The issues include flaws that could allow certificate verification to be bypassed and weaknesses that may expose encryption timing information. 

One of the vulnerabilities, CVE-2026-3338, “allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes,” said AWS in its advisory.

Inside the AWS-LC Cryptographic Vulnerabilities

AWS-LC is Amazon AWS’s general-purpose cryptographic library used across cloud infrastructure and other software to handle security functions such as certificate validation, signature verification, and encryption. 

Because cryptographic libraries are foundational components in many software stacks, vulnerabilities in them can have widespread downstream impact across applications, platforms, and services that rely on them for secure communications and trust validation. 

The vulnerabilities affect several components within the AWS-LC ecosystem, including AWS-LC, AWS-LC-FIPS, and related bindings such as aws-lc-sys that allow applications written in other programming languages to interface with the library. 

As a result, organizations may be indirectly affected if their applications or cloud services rely on these components as dependencies.

Two vulnerabilities — CVE-2026-3336 and CVE-2026-3338 — affect the PKCS7_verify() function used to validate digital signatures and certificate chains. 

PKCS7 structures are widely used in secure messaging, software distribution, and authentication systems to verify the integrity and authenticity of signed data.

CVE-2026-3336

The first issue, CVE-2026-3336, stems from improper certificate validation when processing PKCS7 objects with multiple signers. 

In affected versions, the implementation may validate only the final signer in the certificate chain under certain conditions instead of verifying every certificate. 

This flaw could allow attackers to craft malicious PKCS7 objects that appear legitimate, potentially bypassing certificate chain validation.

CVE-2026-3338

The second vulnerability, CVE-2026-3338, can allow signature verification to be bypassed when PKCS7 objects include Authenticated Attributes. 

In these cases, the verification routine may fail to correctly validate the signature structure, allowing forged or manipulated data to be treated as valid.

CVE-2026-3337

A third vulnerability, CVE-2026-3337, affects AES-CCM authentication tag verification and introduces a timing side-channel weakness. 

By measuring subtle timing differences during decryption operations, an attacker may be able to infer whether an authentication tag is valid.

Although timing side-channel vulnerabilities typically do not expose encryption keys directly, they can weaken the reliability of cryptographic protections by leaking information about internal verification processes. 

Over time, attackers may use these signals to refine attacks or gain insight into how cryptographic validation routines behave.

At the time of disclosure, there were no confirmed reports of active exploitation or publicly available proof-of-concept code targeting these vulnerabilities.  

How Organizations Can Reduce Cryptographic Risk

Organizations using AWS-LC and related cryptographic libraries should update affected components to address the vulnerabilities. 

• Upgrade all affected libraries to the latest patched versions of AWS-LC, AWS-LC-FIPS, aws-lc-sys, and aws-lc-sys-fips.
• Identify and inventory applications that depend on AWS-LC using software composition analysis (SCA) tools to ensure vulnerable cryptographic dependencies are quickly detected and remediated.
• Implement certificate pinning and strict trust store validation to prevent malicious or forged certificates from being accepted during verification processes.
• Monitor systems for abnormal certificate validation behavior, cryptographic verification failures, or unusual authentication events that could indicate exploitation attempts.
• Strengthen cryptographic security controls by encrypting sensitive communications, enforcing secure configuration standards, and reviewing cryptographic implementations regularly.
• Use DevSecOps tools to secure the software supply chain, including artifact signing, automated dependency scanning, and integrity verification within CI/CD pipelines.
• Regularly test incident response plans through tabletop exercises and simulations that model cryptographic exploitation scenarios.

Together, these measures help limit the blast radius of potential cryptographic vulnerabilities while strengthening overall resilience across applications and software supply chains.

Why Cryptographic Dependencies Require Close Monitoring

While no active exploitation has been reported, the disclosure highlights the importance of closely monitoring cryptographic dependencies that underpin cloud services and software applications. 

Because libraries like AWS-LC are widely embedded across infrastructure and development ecosystems, even small flaws can have far-reaching consequences if left unpatched.

These risks highlight the importance of software supply chain security and visibility into third-party dependencies.