Vulnerability Details CVE-2026-3338
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 51.3%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-3338
-
cpe:2.3:a:amazon:aws-lc-sys:0.24.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.24.1
-
cpe:2.3:a:amazon:aws-lc-sys:0.25.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.25.1
-
cpe:2.3:a:amazon:aws-lc-sys:0.26.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.27.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.27.1
-
cpe:2.3:a:amazon:aws-lc-sys:0.27.2
-
cpe:2.3:a:amazon:aws-lc-sys:0.28.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.28.1
-
cpe:2.3:a:amazon:aws-lc-sys:0.28.2
-
cpe:2.3:a:amazon:aws-lc-sys:0.29.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.30.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.31.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.32.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.32.1
-
cpe:2.3:a:amazon:aws-lc-sys:0.32.2
-
cpe:2.3:a:amazon:aws-lc-sys:0.32.3
-
cpe:2.3:a:amazon:aws-lc-sys:0.33.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.34.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.35.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.36.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.37.0
-
cpe:2.3:a:amazon:aws-lc-sys:0.37.1