NIXPKGS-2026-0506

GitHub issue published on 3 Mar 2026

Permalink CVE-2026-3336

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 6 days ago
@LeSuisse accepted 2 weeks, 6 days ago
@LeSuisse published on GitHub 2 weeks, 6 days ago

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0 patch
https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp third-party-advisory

Affected products

AWS-LC

<1.69.0

Matching in nixpkgs

pkgs.aws-lc

General-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers

nixos-unstable 1.67.0
- nixpkgs-unstable 1.67.0
- nixos-unstable-small 1.67.0
nixos-25.11 1.65.0
- nixos-25.11-small 1.65.0
- nixpkgs-25.11-darwin 1.65.0

Package maintainers

@theoparis Theo Paris <theo@tinted.dev>

Upstream advisory: https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0506

References

Affected products

Matching in nixpkgs

pkgs.aws-lc

Package maintainers