CVE-2026-4428
Received Received - Intake
Logic Error in AWS-LC CRL Validation Allows Revoked Certificates Bypass

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: AMZN

Description
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4428
EUVD
EUVD-2026-13237
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
aws aws-lc 1.71.0
aws aws-lc-fips 3.3.0
aws aws-lc From 1.24.0 (inc) to 1.71.0 (exc)
aws aws-lc-fips From 3.0.0 (inc) to 3.3.0 (exc)
aws aws-lc-sys From 0.15.0 (inc) to 0.39.0 (exc)
aws aws-lc-fips-sys From 0.13.0 (inc) to 0.13.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade AWS-LC to version 1.71.0 or AWS-LC-FIPS to version 3.3.0 or later, where this issue has been resolved.

If upgrading immediately is not possible, a workaround is to disable CRL checking or to use complete (non-partitioned) CRLs without Issuing Distribution Point (IDP) extensions, which avoids exposure to this vulnerability.

Ensure that any forked or derivative codebases of AWS-LC are also patched accordingly.

Executive Summary

CVE-2026-4428 is a logic error in the Certificate Revocation List (CRL) distribution point validation within AWS-LC, a cryptographic library. Specifically, the error causes partitioned CRLs that include Issuing Distribution Point (IDP) extensions to be incorrectly rejected as out of scope. This flaw allows revoked certificates to bypass the certificate revocation checks during X.509 certificate verification when CRL checking is enabled.

Impact Analysis

This vulnerability can allow revoked certificates to be accepted as valid by applications using AWS-LC with CRL checking enabled and partitioned CRLs with IDP extensions. This means that an attacker could potentially use a revoked certificate to impersonate a trusted entity or gain unauthorized access, undermining the security of systems relying on certificate validation.

The issue affects AWS-LC versions from v1.24.0 up to but not including v1.71.0, AWS-LC-FIPS versions from 3.0.0 up to but not including 3.3.0, and related sys versions. Systems not enabling CRL checking or using complete CRLs without IDP extensions are not affected.

To mitigate this risk, users should upgrade to AWS-LC version 1.71.0 or AWS-LC-FIPS version 3.3.0, or disable CRL checking or use complete CRLs without IDP extensions as a workaround.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects applications using AWS-LC with CRL checking enabled via the X509_V_FLAG_CRL_CHECK flag and partitioned CRLs containing Issuing Distribution Point (IDP) extensions. Detection involves verifying if your system or application uses an impacted AWS-LC version and if CRL checking with partitioned CRLs is enabled.

You can check the AWS-LC library version in use to determine if it falls within the vulnerable range (from v1.24.0 up to but not including v1.71.0).

Since the vulnerability is related to certificate revocation checks, you can also monitor certificate validation logs or errors for unexpected acceptance of revoked certificates.

Specific commands to detect the vulnerability are not provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart