RUSTSEC-2026-0047

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0047
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0047.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0047
Aliases
Published
2026-03-02T12:00:00Z
Modified
2026-03-21T06:45:35Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
PKCS7_verify Signature Validation Bypass in AWS-LC
Details

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

There is no workaround; applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / aws-lc-sys

Package

Name
aws-lc-sys
View open source insights on deps.dev
Purl
pkg:cargo/aws-lc-sys

Affected ranges

Type
SEMVER
Events
Introduced
0.24.0
Fixed
0.38.0

Ecosystem specific 

{
    "affects": {
        "os": [],
        "arch": [],
        "functions": []
    },
    "affected_functions": null
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0047.json"
categories 
[
    "crypto-failure"
]
cvss 
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
informational 
null