Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
AWS-LC Library Fails to Properly Verify Digital Certificates
GHSA-vw5v-4f2q-w9xf
Summary
A security issue in the AWS-LC library allows an attacker to bypass some digital certificate checks. This could potentially allow an attacker to pretend to be a trusted source. To fix this, users of the aws-lc-sys library should update to the latest version as soon as possible.
What to do
- Update aws-lc-sys to version 0.38.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | aws-lc-sys | > 0.24.0 , <= 0.38.0 | 0.38.0 |
Original title
AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
Original description
### Summary
AWS-LC is an open-source, general-purpose cryptographic library.
### Impact
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
#### Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
### Patches
The patch is included in v0.38.0
### Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
### Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
### Acknowledgement
AWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.
AWS-LC is an open-source, general-purpose cryptographic library.
### Impact
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
#### Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
### Patches
The patch is included in v0.38.0
### Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
### Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
### Acknowledgement
AWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.
ghsa CVSS3.1
7.5
ghsa CVSS4.0
8.7
Vulnerability type
CWE-295
Improper Certificate Validation
- https://github.com/aws/aws-lc-rs/security/advisories/GHSA-vw5v-4f2q-w9xf
- https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
- https://nvd.nist.gov/vuln/detail/CVE-2026-3336
- https://aws.amazon.com/security/security-bulletins/2026-005-AWS
- https://github.com/advisories/GHSA-vw5v-4f2q-w9xf
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026