Cyber Resilience

CVE-2026-3338

HighUpdated

Published: 02 March 2026

Published
02 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0070 48.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3338 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Amazon Aws-Lc-Sys. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3338 is an improper signature validation vulnerability (CWE-347) in the PKCS7_verify() function of the AWS-LC cryptographic library. Published on 2026-03-02, it enables bypassing signature verification when processing PKCS7 objects that include Authenticated Attributes. The vulnerability affects applications using vulnerable versions of AWS-LC, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

An unauthenticated attacker can exploit this flaw remotely with low attack complexity and no user interaction or privileges required. By crafting malicious PKCS7 objects with Authenticated Attributes, the attacker bypasses signature checks, achieving high integrity impact without affecting confidentiality or availability.

AWS security advisories state that customers of AWS services require no action, as the issue is addressed in managed services. Applications using AWS-LC directly must upgrade to version 1.69.0 for mitigation. Details are provided in the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/2026-005-AWS/), AWS-LC release notes (https://github.com/aws/aws-lc/releases/tag/v1.69.0), and GitHub advisory (https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version…

more

1.69.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

The vulnerability directly enables bypassing cryptographic signature verification for PKCS7/CMS objects (commonly used for code signing), which maps to subverting code signing trust controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3336Same product: Amazon Aws-Lc-Sys
CVE-2025-23206Same vendor: Amazon
CVE-2024-13172Shared CWE-347
CVE-2026-4600Shared CWE-347
CVE-2026-5747Same vendor: Amazon
CVE-2026-10591Same vendor: Amazon
CVE-2026-5707Same vendor: Amazon
CVE-2026-4269Same vendor: Amazon
CVE-2026-7424Same vendor: Amazon
CVE-2026-5708Same vendor: Amazon

Affected Assets

amazon
aws-lc-sys
0.24.0 — 0.38.0
amazon
aws libcrypto
1.41.0 — 1.69.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the improper PKCS7 signature validation in AWS-LC by upgrading to version 1.69.0.

preventdetect

Mandates vulnerability scanning to detect CVE-2026-3338 in AWS-LC and other components, enabling proactive remediation.

preventdetect

Monitors software integrity of AWS-LC to detect unauthorized changes or downgrades from the patched version, preventing exploitation via tampering.

References