logo

Database

Lack of data validation In aws-lc-sys

Description

AWS-LC has PKCS7_verify Signature Validation Bypass

Summary

AWS-LC is an open-source, general-purpose cryptographic library.

Impact

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Impacted versions:

aws-lc-sys versions: >= 0.24.0, < 0.38.0

Patches

The patch is included in v0.38.0

Workarounds

There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Resources

If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2026-33382. GHSA-hfpc-8r3f-gw533. GHSA-jchq-39cv-q4wj4. GCVE-GHSA-hfpc-8r3f-gw53

References

1. https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw532. https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj3. https://aws.amazon.com/security/security-bulletins/2026-005-AWS4. https://rustsec.org/advisories/RUSTSEC-2026-0047.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.