CVE-2026-3338

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-3338

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3338.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-3338

Aliases

Published

2026-03-02T22:16:32.350Z

Modified

2026-03-20T17:25:59.250880Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References

Affected packages

Git / github.com/aws/aws-lc

Affected ranges

Type

GIT

Repo

https://github.com/aws/aws-lc

Events

Introduced

dd5948b5a55f5dc5f0db9bbfa0e21c35d9e820e2

Fixed

37d86461a95782fd5d8b77873f9e1cb134ea2f95

Database specific

{
    "versions": [
        {
            "introduced": "1.41.0"
        },
        {
            "fixed": "1.69.0"
        }
    ]
}

Affected versions

AWS-LC-FIPS-NETOS-v1.*

AWS-LC-FIPS-NETOS-v1.29.1

v1.*

v1.41.0

v1.41.1

v1.42.0

v1.43.0

v1.44.0

v1.45.0

v1.46.0

v1.46.1

v1.47.0

v1.48.0

v1.48.1

v1.48.2

v1.48.3

v1.48.4

v1.48.5

v1.49.0

v1.49.1

v1.50.0

v1.50.1

v1.51.0

v1.51.1

v1.51.2

v1.52.0

v1.52.1

v1.53.0

v1.53.1

v1.54.0

v1.55.0

v1.56.0

v1.57.0

v1.57.1

v1.58.0

v1.58.1

v1.59.0

v1.60.0

v1.61.0

v1.61.1

v1.61.2

v1.61.3

v1.61.4

v1.62.0

v1.62.1

v1.63.0

v1.64.0

v1.65.0

v1.65.1

v1.66.0

v1.66.1

v1.66.2

v1.67.0

v1.68.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3338.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0.24.0"
            },
            {
                "fixed": "0.38.0"
            }
        ]
    }
]

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "280062061547051961335040704369984099310",
                "59664889025735122861240116516903930146",
                "186491128754061308478941699848016839286",
                "44181818329089001225657707026569626534",
                "282671460555005303787248492658194669900",
                "44166289732973386761265031133498341556",
                "69817426707179551398336772625900832321",
                "239604874112229803444893855053965253409"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/aws/aws-lc/commit/37d86461a95782fd5d8b77873f9e1cb134ea2f95",
        "id": "CVE-2026-3338-855e3c0b",
        "target": {
            "file": "crypto/pkcs7/pkcs7.c"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "function_hash": "158135805622728784577576606639969624490",
            "length": 2013.0
        },
        "source": "https://github.com/aws/aws-lc/commit/37d86461a95782fd5d8b77873f9e1cb134ea2f95",
        "id": "CVE-2026-3338-dc456f72",
        "target": {
            "file": "crypto/pkcs7/pkcs7.c",
            "function": "pkcs7_signature_verify"
        }
    }
]