Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
AWS-LC decryption can be slowed down by malicious users
CVE-2026-3337
Summary
Certain AWS services using AES decryption may be vulnerable to a timing attack, where an attacker can try to figure out if a decryption is successful by measuring how long it takes. This could potentially allow an attacker to determine if a decryption tag is valid. Applications using AWS-LC should be updated to version 1.69.0 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aws | aws_libcrypto | > 1.21.0 , <= 1.69.0 | – |
| aws | aws_libcrypto | > 3.0.0 , <= 3.2.0 | – |
| amazon | aws-lc-fips-sys | > 0.13.0 , <= 0.13.12 | – |
| amazon | aws-lc-sys | > 0.14.0 , <= 0.38.0 | – |
| amazon | aws_libcrypto | > 1.21.0 , <= 1.69.0 | – |
| amazon | aws_libcrypto | > 3.0.0 , <= 3.2.0 | – |
Original title
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
The impacted implementatio...
Original description
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
nvd CVSS3.1
5.9
nvd CVSS4.0
8.2
Vulnerability type
CWE-208
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026