Cyber Resilience

CVE-2026-4428

Critical

Published: 19 March 2026

Published
19 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4428 is a critical-severity Improper Check for Certificate Revocation (CWE-299) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4428 is a logic error in the Certificate Revocation List (CRL) distribution point validation process in AWS-LC versions prior to 1.71.0. This flaw causes partitioned CRLs to be incorrectly rejected as out of scope, allowing revoked certificates to bypass certificate revocation checks. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-299 (Improper Check for Certificate Revocation).

Remote attackers without privileges or user interaction can exploit this issue, though it requires high attack complexity. Exploitation enables the use of revoked certificates to evade revocation validation, potentially leading to high-impact confidentiality and integrity violations, such as unauthorized data access or interception in TLS connections relying on affected AWS-LC implementations.

The AWS security bulletin (2026-010-AWS) and AWS-LC release notes recommend upgrading to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0 to remediate the vulnerability by correcting the CRL validation logic.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade…

more

to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

The logic flaw in CRL validation enables remote exploitation against public-facing apps using AWS-LC (T1190) and directly facilitates MitM/interception attacks via acceptance of revoked certificates in TLS (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of software flaws, directly addressing the logic error in AWS-LC CRL validation by mandating upgrades to patched versions like 1.71.0.

prevent

Mandates proper management and validation of PKI certificates including revocation status checks via CRLs, mitigating bypasses from improper distribution point validation.

detect

Vulnerability scanning and monitoring identifies deployments of vulnerable AWS-LC versions affected by CVE-2026-4428 for subsequent remediation.

References