CVE-2026-3337

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/2026-005-AWS/	Vendor Advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0	Release Notes
https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:amazon:aws-lc-fips-sys::::::rust::*
	cpe:2.3:a:amazon:aws-lc-sys::::::rust::*
	cpe:2.3:a:amazon:aws_libcrypto::::::::
	cpe:2.3:a:amazon:aws_libcrypto:::::fips:::*

History

11 Mar 2026, 17:14

Type	Values Removed	Values Added
CPE	cpe:2.3:a:aws:aws_libcrypto:::::fips:::* cpe:2.3:a:aws:aws_libcrypto::::::::	cpe:2.3:a:amazon:aws-lc-fips-sys::::::rust::* cpe:2.3:a:amazon:aws_libcrypto:::::::: cpe:2.3:a:amazon:aws_libcrypto:::::fips:::* cpe:2.3:a:amazon:aws-lc-sys::::::rust::*
First Time		Amazon aws-lc-fips-sys Amazon aws-lc-sys Amazon Amazon aws Libcrypto

09 Mar 2026, 14:57

Type	Values Removed	Values Added
First Time		Aws aws Libcrypto Aws
References	~~() https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ -~~	() https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ - Vendor Advisory
References	~~() https://github.com/aws/aws-lc/releases/tag/v1.69.0 -~~	() https://github.com/aws/aws-lc/releases/tag/v1.69.0 - Release Notes
References	~~() https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh -~~	() https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh - Vendor Advisory
CPE		cpe:2.3:a:aws:aws_libcrypto:::::fips:::* cpe:2.3:a:aws:aws_libcrypto::::::::
Summary		(es) Una discrepancia de temporización observable en el descifrado AES-CCM en AWS-LC permite a un usuario no autenticado determinar potencialmente la validez de la etiqueta de autenticación mediante análisis de temporización. Las implementaciones afectadas son a través de la API EVP CIPHER: EVP_aes_128_ccm, EVP_aes_192_ccm y EVP_aes_256_ccm. Los clientes de los servicios de AWS no necesitan tomar ninguna medida. Las aplicaciones que utilizan AWS-LC deberían actualizar a la versión 1.69.0 de AWS-LC.

02 Mar 2026, 23:16

Type	Values Removed	Values Added
References		() https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh -

02 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 22:16

Updated : 2026-03-11 17:14

NVD link : CVE-2026-3337

Mitre link : CVE-2026-3337

CVE.ORG link : CVE-2026-3337

JSON object : View

Products Affected

amazon

aws-lc-fips-sys
aws_libcrypto
aws-lc-sys

CWE

CWE-208

Observable Timing Discrepancy

5.9 /10