PatchSiren cyber security CVE debrief
CVE-2026-3336 AWS CVE debrief
CVE-2026-3336 is a HIGH-severity vulnerability in AWS-LC, a cryptographic library developed by Amazon. The vulnerability is caused by improper certificate validation in the PKCS7_verify() function, which allows an unauthenticated attacker to bypass certificate chain verification when processing PKCS7 objects with multiple signers. However, customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0 to mitigate this vulnerability. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability was published on March 2, 2026, and last modified on June 30, 2026.
- Vendor
- AWS
- Product
- AWS-LC
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-02
- Advisory updated
- 2026-06-30
Who should care
Organizations using AWS-LC in their applications should prioritize upgrading to AWS-LC version 1.69.0 to mitigate this vulnerability. Additionally, security teams and developers responsible for maintaining and updating cryptographic libraries should be aware of this vulnerability and take necessary actions. Red Hat users can refer to errata RHSA-2026:5459 for more information.
Technical summary
The vulnerability is caused by improper certificate validation in the PKCS7_verify() function in AWS-LC. This function is used to verify the certificate chain of a PKCS7 object, which is a type of cryptographic message. The vulnerability allows an unauthenticated attacker to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. This could potentially allow an attacker to forge or tamper with cryptographic messages. The vulnerability has a CVSS score of 8.7, indicating a high level of severity. AWS-LC version 1.69.0 fixes this vulnerability.
Defensive priority
Upgrade to AWS-LC version 1.69.0 to mitigate this vulnerability. Review and update cryptographic library dependencies to ensure the latest security patches are applied.
Recommended defensive actions
- Upgrade to AWS-LC version 1.69.0
- Review and update cryptographic library dependencies
- Monitor for any suspicious activity related to PKCS7 objects
- Implement additional security measures to detect and prevent potential attacks
- Refer to vendor advisories and errata for more information
Evidence notes
The vulnerability was published on March 2, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high level of severity. AWS-LC version 1.69.0 fixes this vulnerability. Customers of AWS services do not need to take action. Red Hat users can refer to errata RHSA-2026:5459 for more information.
Official resources
-
CVE-2026-3336 CVE record
CVE.org
-
CVE-2026-3336 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Vendor Advisory
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Release Notes
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.