CVE-2026-3337

High CVSS: 8.2

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.

The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.

Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

Vendor

Amazon

Product

Aws-lc-fips-sys

CWE

CWE-208

Yayın Tarihi

2026-03-02 22:16:32

Güncelleme

2026-03-11 17:14:55

Source Identifier

ff89ba41-3aa1-4d27-914a-91399e9639e5

KEV Date Added

Kategoriler

CWE-208 Aws-lc-fips-sys HIGH Amazon 2026

Referanslar

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ https://github.com/aws/aws-lc/releases/tag/v1.69.0 https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh

Benzer Kayıtlar

High

CVE-2026-3338

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verificatio…

High

CVE-2026-3336

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain v…

Medium

CVE-2026-1386

A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on L…

High

CVE-2025-14503

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account…

High

CVE-2025-9624

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input…

High

CVE-2025-62371

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSe…