CVE-2026-3338 – AWS-LC Cryptographic Validation and Timing Side-Channel

Amazon patched three vulnerabilities in AWS-LC, its open-source cryptographic library derived from BoringSSL. The update addresses validation bypass and timing side-channel weaknesses that could allow attackers to undermine cryptographic trust checks in applications that rely on the library.

Two vulnerabilities affect the PKCS7_verify() function. CVE-2026-3336 allows an unauthenticated user to bypass certificate chain validation when processing PKCS7 objects with multiple signers. CVE-2026-3338 allows signature verification bypass when PKCS7 objects include authenticated attributes. Both flaws could allow attackers to trick applications into trusting malicious or improperly validated signed content. CVE-2026-3336 has a CVSS score of 7.5, which is High severity. CVE-2026-3338 has a CVSS score of 7.5, which is High severity.

The third issue, CVE-2026-3337, introduces a timing side-channel in AES-CCM decryption that may reveal authentication tag validity through observable timing differences during decryption operations. CVE-2026-3337 has a CVSS score of 5.9, which is Medium severity.

These issues affect AWS-LC versions prior to 1.69.0 and related bindings such as aws-lc-sys. Amazon resolved all three vulnerabilities in AWS-LC version 1.69.0 and corresponding library updates.