CVE-2026-3337 MEDIUM

CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

Vendor Aws
Product AWS-LC
Weakness CWE-208
Published March 2, 2026
Last update March 3, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 3, 2026 Record updated