Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

Bulletin ID: 2026-005-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/02 14:30 PM PST Description: AWS-LC is an open-source, general-purpose cryptographic library. We identified three distinct issues: - CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. - CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. - CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Impacted versions: - PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, - PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0, - Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, - Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-FIPS-3.0.0, - Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, - Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >= v0.13.0, - PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, - PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.