CVE-2026-3338
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass signature verification in PKCS7 objects with Authenticated Attributes in AWS-LC. It affects applications using AWS-LC for cryptographic operations. AWS service customers are not affected, but direct AWS-LC users must take action.
💻 Affected Systems
- AWS-LC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could forge digital signatures, enabling man-in-the-middle attacks, code execution via malicious updates, or data tampering without detection.
Likely Case
Signature bypass allowing spoofed software updates, certificates, or signed documents to be accepted as valid.
If Mitigated
No impact if proper signature validation controls are in place or if PKCS7 with Authenticated Attributes is not used.
🎯 Exploit Status
Exploitation requires crafting malicious PKCS7 objects with Authenticated Attributes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.69.0
Vendor Advisory: https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj
Restart Required: Yes
Instructions:
1. Check current AWS-LC version. 2. Download AWS-LC v1.69.0 from GitHub releases. 3. Replace existing AWS-LC installation with v1.69.0. 4. Rebuild and redeploy applications using AWS-LC. 5. Restart affected services.
🔧 Temporary Workarounds
Disable PKCS7 with Authenticated Attributes
allTemporarily disable processing of PKCS7 objects containing Authenticated Attributes if not required.
Configuration depends on application implementation
🧯 If You Can't Patch
- Implement additional signature validation layers outside AWS-LC
- Monitor for anomalous PKCS7 processing activity
🔍 How to Verify
Check if Vulnerable:
Check if AWS-LC version is below 1.69.0 and application uses PKCS7_verify() with Authenticated Attributes.Check Version:
aws-lc version (if installed) or check build configurationVerify Fix Applied:
Confirm AWS-LC version is 1.69.0 or higher and test PKCS7 signature validation with Authenticated Attributes.📡 Detection & Monitoring
Log Indicators:
- Failed signature validation attempts
- Unexpected PKCS7 processing
Network Indicators:
- Unusual PKCS7 object transfers
- Suspicious certificate/signature submissions
SIEM Query:
source="application_logs" AND ("PKCS7" OR "signature validation") AND result="success"