Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
AWS-LC PKCS7 Signature Verification Can Be Bypassed
GHSA-hfpc-8r3f-gw53
Summary
A security issue in AWS-LC's signature verification process allows an attacker to pretend to be someone they're not. This affects apps using aws-lc-sys, so update to the latest version to stay secure. You don't need to take action if you're just a customer of AWS services.
What to do
- Update aws-lc-sys to version 0.38.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | aws-lc-sys | > 0.24.0 , <= 0.38.0 | 0.38.0 |
Original title
AWS-LC has PKCS7_verify Signature Validation Bypass
Original description
### Summary
AWS-LC is an open-source, general-purpose cryptographic library.
### Impact
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
#### Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
### Patches
The patch is included in v0.38.0
### Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
### Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
AWS-LC is an open-source, general-purpose cryptographic library.
### Impact
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
#### Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
### Patches
The patch is included in v0.38.0
### Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
### Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-347
Improper Verification of Cryptographic Signature
- https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw53
- https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj
- https://nvd.nist.gov/vuln/detail/CVE-2026-3338
- https://aws.amazon.com/security/security-bulletins/2026-005-AWS
- https://github.com/advisories/GHSA-hfpc-8r3f-gw53
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026