Amazon Issues Major Security Bulletin to Address Vulnerabilities in AWS-LC Cryptographic Library
In a pivotal move to ensure the security of digital infrastructures, Amazon has released a significant security bulletin (2026-005-AWS) identifying three high-severity vulnerabilities within AWS-LC, its widely-utilized open-source cryptographic library. This announcement follows a coordinated disclosure process facilitated by the AISLE Research Team, which uncovered these critical flaws posing substantial risks to cloud infrastructure, a backbone for many enterprises in today’s digital age.
Developers globally rely on AWS-LC as a general-purpose library designed to safeguard digital communications. This extensive usage underpins the importance of promptly addressing any vulnerabilities that may compromise the library’s integrity. The newly identified vulnerabilities have raised alarms, revealing that unauthenticated attackers might exploit these flaws to bypass essential certificate validations and take advantage of discrepancies in system timing to gain access to sensitive data, potentially leading to severe breaches.
Breakdown of Vulnerabilities
Security researchers have delineated three distinct vulnerabilities affecting how AWS-LC executes cryptographic processes. The focus of concern revolves around the PKCS7_verify() function, a critical component responsible for validating digital certificates and signatures, and its implications for overall system security.
-
CVE-2026-3336: The first vulnerability involves a certificate chain validation bypass. It occurs when processing PKCS7 objects with multiple signers, allowing an unauthenticated user to exploit this improper validation, effectively sidestepping chain verification for all but the final signer in the sequence. This flaw underlines a significant loophole in the cryptographic verification process, potentially enabling malicious actors to compromise systems without detection.
-
CVE-2026-3337: The second vulnerability highlights a notable observable timing side-channel that emerges during AES-CCM decryption. Unauthenticated attackers can analyze minuscule delays in processing time, potentially discerning whether an authentication tag is valid. This flaw severely impacts the integrity of encrypted data, creating an exploitable pathway for unauthorized access.
- CVE-2026-3338: Similar to the first issue, this vulnerability consists of improper signature validation within the
PKCS7_verify()function, enabling unauthenticated users to bypass signature verification entirely when processing PKCS7 objects containing Authenticated Attributes. This weakness compounds the risks associated with the first vulnerability, offering attackers additional avenues to undermine security measures.
Recommendations and Urgent Response
In light of these dangers, Amazon has issued a strong recommendation for all customers to upgrade to the latest major versions of AWS-LC to fortify their environments. The identified vulnerabilities impact a range of versions within the AWS-LC library and its corresponding system packages. Specifically, the flaws connected to PKCS7 affect AWS-LC versions between v1.41.0 and v1.69.0, along with aws-lc-sys versions between v0.24.0 and v0.38.0. On the other hand, the timing side-channel vulnerability extends its reach, affecting AWS-LC starting from v1.21.0, including FIPS versions like AWS-LC-FIPS 3.0.0 through 3.2.0.
To ameliorate these security gaps, Amazon has patched the PKCS7 bypass vulnerabilities in AWS-LC v1.69.0 and aws-lc-sys v0.38.0. The timing side-channel flaw has also been addressed across AWS-LC v1.69.0, AWS-LC-FIPS-3.2.0, aws-lc-sys v0.38.0, and aws-lc-sys-fips v0.13.12. This comprehensive approach highlights Amazon’s commitment to ensuring that its cryptographic library remains secure from potential exploitation.
Unfortunately, it is essential to note that there are no recognized workarounds for the certificate and signature validation bypasses, underscoring the urgency for immediate patching as the only viable strategy to safeguard systems. However, in a temporary mitigation for the timing side-channel vulnerability, administrators can employ specific configurations when using AES-CCM, such as parameters (M=4, L=2), (M=8, L=2), or (M=16, L=2), by routing encryption through the EVP AEAD API. Implementing configurations like EVP_aead_aes_128_ccm_bluetooth or EVP_aead_aes_128_ccm_matter may provide security teams with a stopgap solution until they can deploy the official patches.
In summary, the revelation of these high-severity vulnerabilities in AWS-LC is a stark reminder of the constant threats facing digital infrastructures today. Amazon’s swift response and proactive measures emphasize the necessity for organizations to stay vigilant and proactive in their cybersecurity approaches, particularly as reliance on open-source cryptographic libraries escalates. Organizations using AWS-LC are urged to act promptly to safeguard their systems and protect sensitive data from potential breaches.