Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
AWS-LC: Unauthenticated users can bypass digital signatures in certain emails
CVE-2026-3338
Summary
A bug in the way AWS-LC verifies digital signatures can allow hackers to impersonate trusted senders in certain situations. This could lead to malicious emails being accepted as legitimate. To fix this, update to the latest version of AWS-LC if you're using it in your applications.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aws | aws_libcrypto | > 1.41.0 , <= 1.69.0 | – |
| amazon | aws-lc-sys | > 0.24.0 , <= 0.38.0 | – |
| amazon | aws_libcrypto | > 1.41.0 , <= 1.69.0 | – |
Original title
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers o...
Original description
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-347
Improper Verification of Cryptographic Signature
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026