RUSTSEC-2026-0048

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0048
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0048.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0048
Aliases
Published
2026-03-19T12:00:00Z
Modified
2026-03-20T17:26:22.199786Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
CRL Distribution Point Scope Check Logic Error in AWS-LC
Details

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / aws-lc-sys

Package

Name
aws-lc-sys
View open source insights on deps.dev
Purl
pkg:cargo/aws-lc-sys

Affected ranges

Type
SEMVER
Events
Introduced
0.15.0
Fixed
0.39.0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "arch": [],
        "functions": []
    }
}

Database specific

categories 
[
    "crypto-failure"
]
informational 
null
cvss 
"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0048.json"