CVE-2026-3338
Published: 02 March 2026
Summary
CVE-2026-3338 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Amazon Aws-Lc-Sys. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3338 is an improper signature validation vulnerability (CWE-347) in the PKCS7_verify() function of the AWS-LC cryptographic library. Published on 2026-03-02, it enables bypassing signature verification when processing PKCS7 objects that include Authenticated Attributes. The vulnerability affects applications using vulnerable versions of AWS-LC, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unauthenticated attacker can exploit this flaw remotely with low attack complexity and no user interaction or privileges required. By crafting malicious PKCS7 objects with Authenticated Attributes, the attacker bypasses signature checks, achieving high integrity impact without affecting confidentiality or availability.
AWS security advisories state that customers of AWS services require no action, as the issue is addressed in managed services. Applications using AWS-LC directly must upgrade to version 1.69.0 for mitigation. Details are provided in the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/2026-005-AWS/), AWS-LC release notes (https://github.com/aws/aws-lc/releases/tag/v1.69.0), and GitHub advisory (https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9266
Vulnerability details
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version…
more
1.69.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables bypassing cryptographic signature verification for PKCS7/CMS objects (commonly used for code signing), which maps to subverting code signing trust controls.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws like the improper PKCS7 signature validation in AWS-LC by upgrading to version 1.69.0.
Mandates vulnerability scanning to detect CVE-2026-3338 in AWS-LC and other components, enabling proactive remediation.
Monitors software integrity of AWS-LC to detect unauthorized changes or downgrades from the patched version, preventing exploitation via tampering.