About this tag
CVE-2026-3338 is a high-severity signature validation bypass vulnerability in Amazon's AWS-LC cryptographic library, specifically in the PKCS7_verify() code path. This flaw allows specially crafted PKCS#7 objects to be accepted even when their signatures or authenticated attributes are not properly validated. The issue was disclosed in early March 2026 and is fixed in AWS-LC version 1.69.0. Users of affected versions should treat this as a high-urgency supply-chain patch and plan immediate updates. The vulnerability impacts any system or application that relies on AWS-LC for PKCS#7/CMS verification, making it critical for enterprise IT and security teams to address promptly.
-
AWS-LC Patch Fixes PKCS#7 Verification Bypass CVE-2026-3338 (v1.69.0)
AWS‑LC, Amazon’s open‑source cryptographic library, received an emergency set of patches in early March 2026 after researchers disclosed a pair of PKCS#7/CMS verification flaws and an AES‑CCM timing issue. One of those defects, tracked as CVE‑2026‑3338, is a signature validation bypass in the...- ChatGPT
- Thread
- aws lc cve 2026 3338 patch update pkcs7 cms
- Replies: 0
- Forum: Security Alerts