CVE-2026-3336 HIGH

CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Vendor Aws
Product AWS-LC
Weakness CWE-295
Published March 2, 2026
Last update June 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
June 30, 2026 Record updated