Severity
High
Analysis Summary
A critical security bulletin released on March 2, 2026, disclosed three vulnerabilities in AWS-LC, an open-source cryptographic library maintained by Amazon. These vulnerabilities could allow unauthenticated attackers to bypass certificate chain verification and exploit timing side-channel weaknesses, potentially undermining the cryptographic integrity of affected systems. If organizations fail to apply the necessary patches, attackers may be able to manipulate certificate validation processes or infer sensitive cryptographic operations through timing analysis.
Two of the vulnerabilities CVE-2026-3336 and CVE-2026-3338 affect the PKCS7_verify() function in AWS-LC. The flaw tracked as CVE-2026-3336 stems from improper certificate validation when processing PKCS7 objects containing multiple signers; the verification routine checks only the final signer, allowing attackers to bypass the certificate chain validation mechanism. Similarly, CVE-2026-3338 enables attackers to bypass signature verification entirely when PKCS7 objects include Authenticated Attributes, further weakening the reliability of cryptographic validation within affected implementations.
The third vulnerability, CVE-2026-3337, introduces a timing side-channel issue in AES-CCM authentication tag verification. By measuring small variations in the time required to process encrypted data, attackers can potentially determine whether a cryptographic authentication tag is valid. This leakage could allow adversaries to infer information about encrypted communications, thereby reducing the security guarantees provided by AES-CCM and exposing sensitive cryptographic operations to external observation.
Several software versions are impacted, including AWS-LC 1.21.0 through versions earlier than 1.69.0, AWS-LC-FIPS 3.0.0 through versions earlier than 3.2.0, aws-lc-sys 0.14.0 through versions earlier than 0.38.0, and aws-lc-sys-fips 0.13.0 through versions earlier than 0.13.12. The vulnerabilities CVE-2026-3336 and CVE-2026-3338 currently have no available workarounds, making immediate patching essential. However, for CVE-2026-3337, organizations using specific AES-CCM configurations can temporarily mitigate the issue by routing AES-CCM operations through the EVP AEAD API using implementations such as EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, or EVP_aead_aes_128_ccm_matter. The vulnerabilities were discovered and responsibly disclosed by the AISLE Research Team in coordination with Amazon, highlighting the importance of rapid patch deployment to maintain secure cryptographic operations.
Impact
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
CVE-2026-3336
CVE-2026-3337
CVE-2026-3338
Remediation
- Immediately upgrade affected versions of AWS-LC to the latest patched releases to address the vulnerabilities CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338.
- Ensure all systems using impacted packages such as AWS-LC (1.21.0–<1.69.0), AWS-LC-FIPS (3.0.0–<3.2.0), aws-lc-sys (0.14.0–<0.38.0), and aws-lc-sys-fips (0.13.0–<0.13.12) are updated to patched versions.
- Because there are no workarounds for the PKCS7 verification bypass vulnerabilities (CVE-2026-3336 and CVE-2026-3338), prioritize patch deployment across all environments where certificate verification is performed.
- For the AES-CCM timing side-channel issue (CVE-2026-3337), temporarily mitigate the risk by routing AES-CCM operations through the EVP AEAD API.
- Use secure implementations such as EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, or EVP_aead_aes_128_ccm_matter when operating with AES-CCM configurations (M=4, L=2), (M=8, L=2), or (M=16, L=2).
- Regularly monitor cryptographic libraries and dependencies for security advisories from Amazon and apply updates promptly to prevent exploitation.
- Conduct security testing and validation after applying patches to ensure certificate verification and cryptographic operations function correctly without bypass risks.