2444026 – (CVE-2026-3336) CVE-2026-3336 aws-lc: aws-lc: Certificate validation bypass via improper handling of PKCS7 objects

Bug 2444026 (CVE-2026-3336) - CVE-2026-3336 aws-lc: aws-lc: Certificate validation bypass via improper handling of PKCS7 objects

Summary: CVE-2026-3336 aws-lc: aws-lc: Certificate validation bypass via improper hand...

Keywords:
Status:	NEW
Alias:	CVE-2026-3336
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2444184 2444186 2444189 2444190 2444181 2444182 2444183 2444185 2444187 2444188
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-02 22:01 UTC by OSIDB Bzimport
Modified:	2026-03-03 19:52 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-02 22:01:39 UTC

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Note You need to log in before you can comment on or make changes to this bug.