RUSTSEC-2026-0043

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0043

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0043.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0043

Aliases

Published

2026-03-02T12:00:00Z

Modified

2026-03-21T06:45:35Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

Details

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. aws-lc-fips-sys contains code from AWS-LC. Applications using aws-lc-fips-sys should upgrade to the most recent release of aws-lc-fips-sys.

Workarounds

In the special cases of using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2), applications can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and EVP_aead_aes_128_ccm_matter respectively.

Otherwise, there is no workaround and applications using aws-lc-fips-sys should upgrade to the most recent release of aws-lc-fips-sys.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / aws-lc-fips-sys

Package

Name: aws-lc-fips-sys; View open source insights on deps.dev
Purl: pkg:cargo/aws-lc-fips-sys

Affected ranges

Type: SEMVER
Events: Introduced

0.13.0

Fixed

0.13.12

Ecosystem specific

{
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

cvss

"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"

source

"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0043.json"