GHSA-hfpc-8r3f-gw53

Suggest an improvement
Source
https://github.com/advisories/GHSA-hfpc-8r3f-gw53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hfpc-8r3f-gw53/GHSA-hfpc-8r3f-gw53.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hfpc-8r3f-gw53
Aliases
Downstream
Related
Published
2026-03-03T20:25:39Z
Modified
2026-03-25T18:31:14Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
AWS-LC has PKCS7_verify Signature Validation Bypass
Details

Summary

AWS-LC is an open-source, general-purpose cryptographic library.

Impact

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Impacted versions:

aws-lc-sys versions: >= 0.24.0, < 0.38.0

Patches

The patch is included in v0.38.0

Workarounds

There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Resources

If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Database specific 
{
    "cwe_ids": [
        "CWE-347"
    ],
    "github_reviewed_at": "2026-03-03T20:25:39Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

crates.io / aws-lc-sys

Package

Name
aws-lc-sys
View open source insights on deps.dev
Purl
pkg:cargo/aws-lc-sys

Affected ranges

Type
SEMVER
Events
Introduced
0.24.0
Fixed
0.38.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hfpc-8r3f-gw53/GHSA-hfpc-8r3f-gw53.json"