PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3336 AWS CVE debrief

CVE-2026-3336 is a HIGH-severity vulnerability in AWS-LC, a cryptographic library developed by Amazon. The vulnerability is caused by improper certificate validation in the PKCS7_verify() function, which allows an unauthenticated attacker to bypass certificate chain verification when processing PKCS7 objects with multiple signers. However, customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0 to mitigate this vulnerability. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability was published on March 2, 2026, and last modified on June 30, 2026.

Vendor
AWS
Product
AWS-LC
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-02
Original CVE updated
2026-06-30
Advisory published
2026-03-02
Advisory updated
2026-06-30

Who should care

Organizations using AWS-LC in their applications should prioritize upgrading to AWS-LC version 1.69.0 to mitigate this vulnerability. Additionally, security teams and developers responsible for maintaining and updating cryptographic libraries should be aware of this vulnerability and take necessary actions. Red Hat users can refer to errata RHSA-2026:5459 for more information.

Technical summary

The vulnerability is caused by improper certificate validation in the PKCS7_verify() function in AWS-LC. This function is used to verify the certificate chain of a PKCS7 object, which is a type of cryptographic message. The vulnerability allows an unauthenticated attacker to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. This could potentially allow an attacker to forge or tamper with cryptographic messages. The vulnerability has a CVSS score of 8.7, indicating a high level of severity. AWS-LC version 1.69.0 fixes this vulnerability.

Defensive priority

Upgrade to AWS-LC version 1.69.0 to mitigate this vulnerability. Review and update cryptographic library dependencies to ensure the latest security patches are applied.

Recommended defensive actions

  • Upgrade to AWS-LC version 1.69.0
  • Review and update cryptographic library dependencies
  • Monitor for any suspicious activity related to PKCS7 objects
  • Implement additional security measures to detect and prevent potential attacks
  • Refer to vendor advisories and errata for more information

Evidence notes

The vulnerability was published on March 2, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high level of severity. AWS-LC version 1.69.0 fixes this vulnerability. Customers of AWS services do not need to take action. Red Hat users can refer to errata RHSA-2026:5459 for more information.

Official resources

This article is AI-assisted and based on the supplied source corpus.