Critical Flaw Hits Widely Used AWS Crypto Library

The core of this vulnerability lies in three distinct flaws discovered by the AISLE Research Team. Two of these, CVE-2026-3336 and CVE-2026-3338, affect the `PKCS7_verify()` function, allowing an attacker to bypass certificate and signature validation. Specifically, when processing a PKCS7 object with multiple signers, the library would only check the final signer, creating a significant trust loophole. The third vulnerability, CVE-2026-3337, is a timing side-channel attack related to AES-CCM decryption. By analyzing minute variations in processing time, an attacker could potentially determine if an authentication tag is valid, thereby weakening the encryption's integrity. There are no known workarounds for the certificate validation bypasses. The patched versions are AWS-LC 1.69.0 and AWS-LC-FIPS 3.2.0. The vulnerabilities impact a range of prior versions, with the timing side-channel flaw affecting versions from 1.21.0 and the certificate validation issues affecting versions from 1.41.0. While AWS has stated that its own services were not impacted, any customer whose application code integrates directly with these libraries is urged to upgrade. For developers in the Apple ecosystem, the relevance extends to any application that relies on AWS infrastructure or incorporates third-party tools built with the vulnerable library. Documentation exists for building AWS-LC for macOS and iOS, including FIPS-compliant builds, and it is used in cross-platform frameworks like React Native. This vulnerability has direct implications for the Matter smart home standard, which is backed by Apple, Google, and Amazon and relies on robust certificate-based authentication and encryption. In a suggested temporary workaround for the timing vulnerability, Amazon specifically references an API implementation for Matter (`EVP_aead_aes_128_ccm_matter`), highlighting the library's use in this ecosystem.