GHSA-hfpc-8r3f-gw53

Details

Summary

AWS-LC is an open-source, general-purpose cryptographic library.

Impact

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.

Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Impacted versions:

aws-lc-sys versions: >= 0.24.0, < 0.38.0

Patches

The patch is included in v0.38.0

Workarounds

There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Resources

If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Affected Packages

aws-lc-sys

crates.io

Fixed in:

0.38.0

References

WEB

https://aws.amazon.com/security/security-bulletins/2026-005-AWS

ADVISORY

https://github.com/advisories/GHSA-hfpc-8r3f-gw53

PACKAGE

https://github.com/aws/aws-lc-rs

WEB

https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw53

WEB

https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-3338