Cyber Resilience

CVE-2026-3336

HighUpdated

Published: 02 March 2026

Published
02 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3336 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Amazon Aws-Lc-Sys. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-3336 is an improper certificate validation vulnerability in the PKCS7_verify() function of the AWS-LC library. It enables bypassing certificate chain verification when processing PKCS7 objects that include multiple signers, excluding the final signer. The flaw, classified under CWE-295, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and affects applications directly using AWS-LC.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation allows the attacker to bypass certificate chain checks on PKCS7 objects with multiple signers (except the final one), resulting in high integrity impact by enabling acceptance of invalid signatures.

AWS security bulletin 2026-005-AWS, along with the GitHub security advisory GHSA-cfwj-9wp5-wqvp and release notes for AWS-LC v1.69.0, recommend upgrading affected applications to AWS-LC version 1.69.0 to mitigate the issue. Customers of AWS services do not need to take any action.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC…

more

should upgrade to AWS-LC version 1.69.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

Remote unauthenticated network exploitation of apps using the vulnerable library for PKCS7 signature verification directly matches T1190; the core flaw bypasses certificate chain validation to accept invalid signatures, enabling subversion of code/data signing trust controls per T1553.002.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3338Same product: Amazon Aws-Lc-Sys
CVE-2026-5709Same vendor: Amazon
CVE-2026-7821Shared CWE-295
CVE-2026-21228Shared CWE-295
CVE-2025-23206Same vendor: Amazon
CVE-2025-46070Shared CWE-295
CVE-2026-5747Same vendor: Amazon
CVE-2026-10591Same vendor: Amazon
CVE-2026-5707Same vendor: Amazon
CVE-2026-4269Same vendor: Amazon

Affected Assets

amazon
aws-lc-sys
0.24.0 — 0.38.0
amazon
aws libcrypto
1.41.0 — 1.69.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, such as upgrading AWS-LC to version 1.69.0 to fix the improper certificate validation in PKCS7_verify().

prevent

Mandates processes for validating PKI certificates, directly addressing the certificate chain bypass vulnerability in multi-signer PKCS7 objects.

detect

Enables vulnerability scanning to identify deployments of vulnerable AWS-LC versions affected by this certificate validation flaw.

References