Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
AWS-LC fails to verify some certificates in multi-signer emails
CVE-2026-3336
Summary
A bug in the way AWS-LC handles certain email encryption makes it possible for an attacker to bypass security checks on some certificates. This only affects applications using an older version of AWS-LC. To fix the issue, update AWS-LC to version 1.69.0.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aws | aws_libcrypto | > 1.41.0 , <= 1.69.0 | – |
| amazon | aws-lc-sys | > 0.24.0 , <= 0.38.0 | – |
| amazon | aws_libcrypto | > 1.41.0 , <= 1.69.0 | – |
Original title
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the f...
Original description
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-295
Improper Certificate Validation
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026