CVE-2026-3336 is a vulnerability in the AWS-LC cryptographic library, specifically in the PKCS7_verify() function responsible for verifying PKCS7 signed data objects. The flaw arises from improper certificate validation (CWE-295) when processing PKCS7 objects containing multiple signers. The verification logic fails to properly validate the certificate chains of all signers except the final one, allowing an unauthenticated attacker to bypass certificate chain verification for intermediate signers. This can enable attackers to forge or tamper with signed data without detection, compromising data integrity. The vulnerability does not affect confidentiality or availability but undermines trust in cryptographic signatures. Exploitation requires no privileges or user interaction and can be performed remotely by submitting crafted PKCS7 objects to vulnerable applications. The affected AWS-LC versions include 1.41.0 and earlier, with the issue resolved in version 1.69.0. AWS customers using AWS services directly are not impacted, but third-party applications and services embedding AWS-LC for cryptographic operations must upgrade promptly. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to software supply chains and any system relying on PKCS7 signature verification. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and impact on integrity.

The primary impact of CVE-2026-3336 is the compromise of data integrity in applications using vulnerable versions of AWS-LC for PKCS7 signature verification. Attackers can bypass certificate chain validation for multiple signers, enabling them to forge or alter signed data without detection. This undermines trust in digital signatures, potentially allowing malicious code, documents, or updates to appear legitimate. Organizations relying on PKCS7 signatures for software updates, document signing, or secure communications may face risks of supply chain attacks, fraud, or unauthorized data manipulation. Although confidentiality and availability are not directly affected, the integrity breach can lead to downstream security incidents, regulatory non-compliance, and reputational damage. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of widespread abuse, especially in environments where AWS-LC is embedded in critical infrastructure or widely distributed software products.

To mitigate CVE-2026-3336, organizations should immediately upgrade all instances of AWS-LC to version 1.69.0 or later, where the certificate validation logic in PKCS7_verify() is corrected. Developers embedding AWS-LC in their applications must audit their dependencies and update vulnerable versions. Additionally, implement rigorous code signing and verification policies that include multiple layers of signature validation beyond PKCS7 when possible. Employ runtime integrity monitoring to detect anomalous signed data or unexpected signature verification failures. Organizations should also review their software supply chain security practices to ensure that all cryptographic libraries are up to date and properly configured. For critical systems, consider implementing additional cryptographic verification mechanisms or manual validation steps until patches are fully deployed. Finally, monitor threat intelligence sources for any emerging exploits targeting this vulnerability and be prepared to respond swiftly.