Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

AWS has issued an important security bulletin regarding its open-source cryptographic library, AWS-LC. Three critical vulnerabilities were discovered within the library. The first vulnerability, CVE-2026-3336, concerns a certificate chain validation bypass in the PKCS7_verify function. This flaw allows unauthorized users to bypass verification when handling PKCS7 objects with multiple signers. The second vulnerability, CVE-2026-3337, involves a timing side-channel in AES-CCM tag verification. This vulnerability could allow attackers to determine tag validity through timing analysis during decryption. The third vulnerability, CVE-2026-3338, is a signature validation bypass within PKCS7_verify. It allows an attacker to bypass signature verification when processing PKCS7 objects featuring authenticated attributes. These vulnerabilities affect various versions of AWS-LC and aws-lc-sys, including FIPS compliant versions. Affected versions are specified for each vulnerability in the bulletin. Users are urged to check the bulletin for a complete list of impacted versions. The bulletin recommends referring to the provided article for detailed information and the latest updates. Action is required to address these security issues.