PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3338 AWS CVE debrief

CVE-2026-3338 is a HIGH-severity vulnerability in AWS-LC, a cryptographic library developed by Amazon. The vulnerability is caused by improper signature validation in the PKCS7_verify() function, which allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. This vulnerability was published on March 2, 2026, and last modified on June 30, 2026. Customers of AWS services do not need to take action, but applications using AWS-LC should upgrade to AWS-LC version 1.69.0. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability is tracked by CVE-2026-3338 and has been addressed by Amazon through an update to AWS-LC.

Vendor
AWS
Product
AWS-LC
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-02
Original CVE updated
2026-06-30
Advisory published
2026-03-02
Advisory updated
2026-06-30

Who should care

Organizations using AWS-LC in their applications should be aware of this vulnerability and take action to upgrade to AWS-LC version 1.69.0 or later. This includes developers and administrators responsible for maintaining and securing applications that utilize AWS-LC. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and assess their organization's exposure.

Technical summary

The vulnerability is caused by improper signature validation in the PKCS7_verify() function in AWS-LC. This function is used to verify the signature of PKCS7 objects, which are used to encapsulate and protect data. The vulnerability allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. This could potentially allow an attacker to forge or tamper with data, leading to a loss of integrity and confidentiality. The vulnerability has a CVSS score of 8.7, indicating a high level of severity.

Defensive priority

High priority should be given to upgrading AWS-LC to version 1.69.0 or later. Additionally, organizations should review their applications and systems that use AWS-LC to ensure they are not vulnerable to this issue.

Recommended defensive actions

  • Upgrade AWS-LC to version 1.69.0 or later
  • Review applications and systems that use AWS-LC to ensure they are not vulnerable to this issue
  • Monitor for any suspicious activity related to PKCS7 objects with Authenticated Attributes
  • Consider implementing additional security controls to protect against potential attacks
  • Verify that all affected systems and applications have been updated with the patched version of AWS-LC

Evidence notes

The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability was published on March 2, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high level of severity. The vulnerability is tracked by CVE-2026-3338 and has been addressed by Amazon through an update to AWS-LC.

Official resources

This article is AI-assisted and based on the supplied source corpus.