CVE-2026-3336

EUVD-2026-9264
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
amazonaws-lc-sys
0.24.0 ≤
𝑥
< 0.38.0
amazonaws_libcrypto
1.41.0 ≤
𝑥
< 1.69.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
Red HatRed Hat Trusted Artifact Signer 1.3
1773307309 ≤
𝑥
< *
ADP
Red HatRed Hat Trusted Artifact Signer 1.3
1773307309 ≤
𝑥
< *
ADP
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
amazon-efs-utils
Amazon Linux 2
0:3.0.0-4.amzn2
fixed
Amazon Linux 2023
0:3.0.0-4.amzn2023
fixed
mount-s3
Amazon Linux 2023
0:1.22.2-1.amzn2023
fixed
mount-s3-debuginfo
Amazon Linux 2023
0:1.22.2-1.amzn2023
fixed
mount-s3-debugsource
Amazon Linux 2023
0:1.22.2-1.amzn2023
fixed