CVE-2026-4428
Logic Error in AWS-LC CRL Validation Allows Revoked Certificates Bypass
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aws | aws-lc | 1.71.0 |
| aws | aws-lc-fips | 3.3.0 |
| aws | aws-lc | From 1.24.0 (inc) to 1.71.0 (exc) |
| aws | aws-lc-fips | From 3.0.0 (inc) to 3.3.0 (exc) |
| aws | aws-lc-sys | From 0.15.0 (inc) to 0.39.0 (exc) |
| aws | aws-lc-fips-sys | From 0.13.0 (inc) to 0.13.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-299 | The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4428 is a logic error in the Certificate Revocation List (CRL) distribution point validation within AWS-LC, a cryptographic library. Specifically, the error causes partitioned CRLs that include Issuing Distribution Point (IDP) extensions to be incorrectly rejected as out of scope. This flaw allows revoked certificates to bypass the certificate revocation checks during X.509 certificate verification when CRL checking is enabled.
How can this vulnerability impact me? :
This vulnerability can allow revoked certificates to be accepted as valid by applications using AWS-LC with CRL checking enabled and partitioned CRLs with IDP extensions. This means that an attacker could potentially use a revoked certificate to impersonate a trusted entity or gain unauthorized access, undermining the security of systems relying on certificate validation.
The issue affects AWS-LC versions from v1.24.0 up to but not including v1.71.0, AWS-LC-FIPS versions from 3.0.0 up to but not including 3.3.0, and related sys versions. Systems not enabling CRL checking or using complete CRLs without IDP extensions are not affected.
To mitigate this risk, users should upgrade to AWS-LC version 1.71.0 or AWS-LC-FIPS version 3.3.0, or disable CRL checking or use complete CRLs without IDP extensions as a workaround.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects applications using AWS-LC with CRL checking enabled via the X509_V_FLAG_CRL_CHECK flag and partitioned CRLs containing Issuing Distribution Point (IDP) extensions. Detection involves verifying if your system or application uses an impacted AWS-LC version and if CRL checking with partitioned CRLs is enabled.
You can check the AWS-LC library version in use to determine if it falls within the vulnerable range (from v1.24.0 up to but not including v1.71.0).
Since the vulnerability is related to certificate revocation checks, you can also monitor certificate validation logs or errors for unexpected acceptance of revoked certificates.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade AWS-LC to version 1.71.0 or AWS-LC-FIPS to version 3.3.0 or later, where this issue has been resolved.
If upgrading immediately is not possible, a workaround is to disable CRL checking or to use complete (non-partitioned) CRLs without Issuing Distribution Point (IDP) extensions, which avoids exposure to this vulnerability.
Ensure that any forked or derivative codebases of AWS-LC are also patched accordingly.