{"id":"RUSTSEC-2026-0046","summary":"PKCS7_verify Certificate Chain Validation Bypass in AWS-LC","details":"Improper certificate validation in `PKCS7_verify()` in AWS-LC allows an\nunauthenticated user to bypass certificate chain verification when processing\nPKCS7 objects with multiple signers, except the final signer.\n\nCustomers of AWS services do not need to take action. `aws-lc-sys` contains\ncode from AWS-LC. Applications using `aws-lc-sys` should upgrade to the most\nrecent release of `aws-lc-sys`.\n\nThere is no workaround; applications using `aws-lc-sys` should upgrade to the \nmost recent release of aws-lc-sys.","aliases":["CVE-2026-3336","GHSA-cfwj-9wp5-wqvp","GHSA-vw5v-4f2q-w9xf"],"modified":"2026-03-21T06:45:35Z","published":"2026-03-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/aws-lc-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0046.html"},{"type":"WEB","url":"https://aws.amazon.com/security/security-bulletins/2026-005-AWS"},{"type":"ADVISORY","url":"https://github.com/aws/aws-lc-rs/security/advisories/GHSA-vw5v-4f2q-w9xf"}],"affected":[{"package":{"name":"aws-lc-sys","ecosystem":"crates.io","purl":"pkg:cargo/aws-lc-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.24.0"},{"fixed":"0.38.0"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"categories":["crypto-failure"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0046.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}