PatchSiren cyber security CVE debrief
CVE-2026-3338 AWS CVE debrief
CVE-2026-3338 is a HIGH-severity vulnerability in AWS-LC, a cryptographic library developed by Amazon. The vulnerability is caused by improper signature validation in the PKCS7_verify() function, which allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. This vulnerability was published on March 2, 2026, and last modified on June 30, 2026. Customers of AWS services do not need to take action, but applications using AWS-LC should upgrade to AWS-LC version 1.69.0. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability is tracked by CVE-2026-3338 and has been addressed by Amazon through an update to AWS-LC.
- Vendor
- AWS
- Product
- AWS-LC
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-02
- Advisory updated
- 2026-06-30
Who should care
Organizations using AWS-LC in their applications should be aware of this vulnerability and take action to upgrade to AWS-LC version 1.69.0 or later. This includes developers and administrators responsible for maintaining and securing applications that utilize AWS-LC. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and assess their organization's exposure.
Technical summary
The vulnerability is caused by improper signature validation in the PKCS7_verify() function in AWS-LC. This function is used to verify the signature of PKCS7 objects, which are used to encapsulate and protect data. The vulnerability allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. This could potentially allow an attacker to forge or tamper with data, leading to a loss of integrity and confidentiality. The vulnerability has a CVSS score of 8.7, indicating a high level of severity.
Defensive priority
High priority should be given to upgrading AWS-LC to version 1.69.0 or later. Additionally, organizations should review their applications and systems that use AWS-LC to ensure they are not vulnerable to this issue.
Recommended defensive actions
- Upgrade AWS-LC to version 1.69.0 or later
- Review applications and systems that use AWS-LC to ensure they are not vulnerable to this issue
- Monitor for any suspicious activity related to PKCS7 objects with Authenticated Attributes
- Consider implementing additional security controls to protect against potential attacks
- Verify that all affected systems and applications have been updated with the patched version of AWS-LC
Evidence notes
The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability was published on March 2, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability is tracked by CVE-2026-3338 and has been addressed by Amazon through an update to AWS-LC.
Official resources
-
CVE-2026-3338 CVE record
CVE.org
-
CVE-2026-3338 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Vendor Advisory
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Release Notes
-
Mitigation or vendor reference
ff89ba41-3aa1-4d27-914a-91399e9639e5 - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.