CVE-2026-4428
Published: 19 March 2026
Summary
CVE-2026-4428 is a critical-severity Improper Check for Certificate Revocation (CWE-299) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-4428 is a logic error in the Certificate Revocation List (CRL) distribution point validation process in AWS-LC versions prior to 1.71.0. This flaw causes partitioned CRLs to be incorrectly rejected as out of scope, allowing revoked certificates to bypass certificate revocation checks. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-299 (Improper Check for Certificate Revocation).
Remote attackers without privileges or user interaction can exploit this issue, though it requires high attack complexity. Exploitation enables the use of revoked certificates to evade revocation validation, potentially leading to high-impact confidentiality and integrity violations, such as unauthorized data access or interception in TLS connections relying on affected AWS-LC implementations.
The AWS security bulletin (2026-010-AWS) and AWS-LC release notes recommend upgrading to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0 to remediate the vulnerability by correcting the CRL validation logic.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13237
Vulnerability details
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade…
more
to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The logic flaw in CRL validation enables remote exploitation against public-facing apps using AWS-LC (T1190) and directly facilitates MitM/interception attacks via acceptance of revoked certificates in TLS (T1557).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of software flaws, directly addressing the logic error in AWS-LC CRL validation by mandating upgrades to patched versions like 1.71.0.
Mandates proper management and validation of PKI certificates including revocation status checks via CRLs, mitigating bypasses from improper distribution point validation.
Vulnerability scanning and monitoring identifies deployments of vulnerable AWS-LC versions affected by CVE-2026-4428 for subsequent remediation.