RUSTSEC-2026-0046

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0046
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0046.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0046
Aliases
Published
2026-03-02T12:00:00Z
Modified
2026-03-21T06:45:35Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
PKCS7_verify Certificate Chain Validation Bypass in AWS-LC
Details

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

There is no workaround; applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / aws-lc-sys

Package

Name
aws-lc-sys
View open source insights on deps.dev
Purl
pkg:cargo/aws-lc-sys

Affected ranges

Type
SEMVER
Events
Introduced
0.24.0
Fixed
0.38.0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    }
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0046.json"
informational 
null
categories 
[
    "crypto-failure"
]
cvss 
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"