{"id":"RUSTSEC-2026-0047","summary":"PKCS7_verify Signature Validation Bypass in AWS-LC","details":"Improper signature validation in `PKCS7_verify()` in AWS-LC allows an\nunauthenticated user to bypass signature verification when processing PKCS7\nobjects with Authenticated Attributes.\n\nCustomers of AWS services do not need to take action. `aws-lc-sys` contains\ncode from AWS-LC. Applications using `aws-lc-sys` should upgrade to the most\nrecent release of `aws-lc-sys`.\n\nThere is no workaround; applications using `aws-lc-sys` should upgrade to the \nmost recent release of `aws-lc-sys`.","aliases":["CVE-2026-3338","GHSA-hfpc-8r3f-gw53","GHSA-jchq-39cv-q4wj"],"modified":"2026-03-21T06:45:35Z","published":"2026-03-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/aws-lc-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0047.html"},{"type":"WEB","url":"https://aws.amazon.com/security/security-bulletins/2026-005-AWS"},{"type":"ADVISORY","url":"https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw53"}],"affected":[{"package":{"name":"aws-lc-sys","ecosystem":"crates.io","purl":"pkg:cargo/aws-lc-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.24.0"},{"fixed":"0.38.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","categories":["crypto-failure"],"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0047.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}