Primary

Context

AWS-LC PKCS7 Signature Validation Bypass Vulnerability

Vulnerability

A vulnerability in AWS-LC's PKCS7_verify() function allows an unauthenticated user to bypass signature validation. This issue arises when processing PKCS7 objects that contain Authenticated Attributes. The vulnerability is present in AWS-LC versions 1.41.0 prior to 1.69.0, as well as in aws-lc-sys versions 0.24.0 prior to 0.38.0.

Impact

Exploitation of this vulnerability allows for unauthorized bypassing of signature validation in PKCS7 objects, which could lead to the acceptance of fraudulent signatures or unauthorized modifications being recognized as valid.

Remediation

Users of AWS-LC should upgrade to version 1.69.0. For those using aws-lc-sys, the upgrade to version 0.38.0 is recommended.

Added: Mar 2, 2026, 10:26 PM

Updated: Mar 2, 2026, 11:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AWS-LC PKCS7 Signature Validation Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating