Cracking the Cloud’s Crypto: Unauthenticated Bypass Flaws Found in Amazon’s AWS-LC Library

Cybersecurity researchers have identified three significant vulnerabilities in AWS-LC, Amazon’s open-source cryptographic library used extensively across its cloud infrastructure and global services. The flaws range from high-severity validation bypasses to a subtle timing side-channel, potentially allowing unauthenticated attackers to subvert encrypted communications or verify forged digital signatures.

AWS-LC is a general-purpose library based on Google’s BoringSSL and the OpenSSL project, serving as the cryptographic backbone for Amazon’s FIPS-validated offerings and many third-party applications.

Two of the three vulnerabilities, CVE-2026-3336 and CVE-2026-3338, target the PKCS7_verify() function, which is responsible for validating digital signatures and certificate chains in the Cryptographic Message Syntax (CMS).

• CVE-2026-3336 (CVSS 7.5): This “Certificate Chain Validation Bypass” is particularly dangerous. When processing a PKCS7 object with multiple signers, the library improperly validates the certificates. As the security report details, the flaw “allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer”. An attacker could craft a file where earlier signers fail validation, yet the entire package is accepted if the last signer appears legitimate.
• CVE-2026-3338 (CVSS 7.5): A related “Signature Validation Bypass” exists when processing objects with “Authenticated Attributes.” This flaw “allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes”.

The third vulnerability, CVE-2026-3337 (CVSS 5.9), is a “Timing Side-Channel” within the AES-CCM tag verification process. Unlike direct code execution, timing attacks rely on measuring tiny variations in how long a processor takes to execute an operation.

In this case, the library’s AES-CCM decryption used a non-constant-time comparison for authentication tags. As the report warns, this “allows an unauthenticated user to potentially determine authentication tag validity via timing analysis”. By observing these discrepancies, an attacker can theoretically infer sensitive data or identify valid tags through repeated, precisely timed queries.

The vulnerabilities impact several versions of the AWS-LC core and its associated system bindings.

Vulnerability	Affected Versions	Fixed Version
CVE-2026-3336	AWS-LC: < v1.69.0; aws-lc-sys: < v0.38.0	v1.69.0 / v0.38.0
CVE-2026-3337	AWS-LC: < v1.69.0; aws-lc-sys: < v0.38.0	v1.69.0 / v0.38.0
CVE-2026-3338	AWS-LC: < v1.69.0; aws-lc-sys: < v0.38.0	v1.69.0 / v0.38.0

For users of the FIPS-validated modules, the timing side-channel (CVE-2026-3337) is addressed in AWS-LC-FIPS v3.2.0 and aws-lc-sys-fips v0.13.12.

There are no known workarounds for these issues. Developers utilizing the AWS-LC library or the aws-lc-rs Rust bindings should upgrade their dependencies to the latest releases immediately to ensure their applications remain secure against these unauthenticated network attacks.