A recent security bulletin has revealed critical vulnerabilities in AWS-LC, Amazon’s open-source cryptographic library. These flaws could allow attackers to bypass certificate chain verification and exploit timing side-channels, posing significant risks to affected systems.
Details of the Vulnerabilities
Published on March 2, 2026, the disclosure outlines three vulnerabilities targeting AWS-LC. The most prominent issues involve the PKCS7_verify() function, where flaws allow bypassing of certificate validation. Specifically, CVE-2026-3336 and CVE-2026-3338 permit attackers to exploit these weaknesses during signature verification of PKCS7 objects.
The timing side-channel vulnerability, identified as CVE-2026-3337, affects AES-CCM tag verification. By analyzing processing times, attackers can determine the validity of authentication tags, thereby compromising cryptographic operations.
Affected Versions and Urgent Updates
Amazon has urged all users to update to the latest versions of AWS-LC promptly. The affected versions include AWS-LC 1.21.0 to below 1.69.0, AWS-LC-FIPS 3.0.0 to below 3.2.0, and specific aws-lc-sys versions. All these versions have now been patched to address the vulnerabilities.
The AISLE Research Team, in collaboration with AWS, discovered these issues through a coordinated vulnerability disclosure process. While workarounds for PKCS7 vulnerabilities are unavailable, a mitigation strategy for the AES-CCM flaw exists for certain configurations.
Mitigation Strategies and Future Outlook
Organizations are advised to implement the latest patches to mitigate these vulnerabilities. For the AES-CCM timing flaw, temporary workarounds are available for configurations using specific parameters. By routing AES-CCM through the EVP AEAD API, using designated implementations, users can reduce risks.
As cyber threats evolve, maintaining up-to-date security measures becomes crucial. Following these updates will help safeguard cryptographic integrity across environments.
Stay informed by following cybersecurity news on platforms like Google News, LinkedIn, and X. For further assistance, contact us to feature your stories or inquiries.
