CVE-2026-4428 is a vulnerability classified under CWE-299 (Improper Check for Certificate Revocation) affecting AWS-LC, a cryptographic library used by Amazon Web Services and other applications for TLS and cryptographic functions. The issue arises from a logic error in the validation of Certificate Revocation List (CRL) distribution points, specifically when handling partitioned CRLs. Partitioned CRLs are subsets of a larger CRL used to improve scalability and performance. Due to this logic flaw, partitioned CRLs are mistakenly considered out of scope during validation, causing the system to ignore revocation status for certificates listed in these partitions. Consequently, revoked certificates can bypass revocation checks, allowing attackers to present revoked certificates as valid. This undermines the trust model of PKI, potentially enabling man-in-the-middle attacks, unauthorized access, or data interception. The vulnerability affects AWS-LC versions prior to 1.71.0, including version 1.24.0. AWS has released fixes in AWS-LC 1.71.0 and AWS-LC-FIPS-3.3.0 to correct the CRL validation logic. The CVSS 3.1 base score is 7.4, indicating high severity with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild as of the publication date. Organizations using AWS-LC for cryptographic operations should upgrade promptly to mitigate this risk.

The vulnerability allows revoked certificates to bypass revocation checks, which can have severe consequences for organizations relying on AWS-LC for secure communications. Attackers could exploit this flaw to impersonate legitimate services or users by presenting revoked certificates, facilitating man-in-the-middle attacks, unauthorized data access, or interception of sensitive information. This compromises confidentiality and integrity of communications and transactions. Since AWS-LC is widely used in cloud environments and security-sensitive applications, the impact could be broad, affecting cloud service providers, enterprises, and government agencies. The lack of availability impact means systems remain operational, but trust in secure connections is undermined. The high attack complexity reduces the likelihood of widespread exploitation but does not eliminate risk, especially from skilled adversaries. Organizations that fail to patch may face data breaches, regulatory non-compliance, and reputational damage.

To mitigate CVE-2026-4428, organizations should immediately upgrade AWS-LC to version 1.71.0 or AWS-LC-FIPS-3.3.0, where the CRL validation logic has been corrected. Beyond upgrading, organizations should audit their cryptographic libraries and dependencies to ensure no legacy versions remain in use. Implement strict certificate validation policies and consider deploying additional certificate status checking mechanisms such as Online Certificate Status Protocol (OCSP) stapling or OCSP responders to complement CRL checks. Monitor network traffic for anomalous TLS handshakes that might indicate use of revoked certificates. Conduct penetration testing focused on certificate validation to detect potential bypasses. For critical systems, consider implementing certificate pinning or multi-factor authentication to reduce reliance on certificate revocation alone. Maintain an inventory of all systems and applications using AWS-LC to ensure comprehensive coverage of the patch. Finally, stay informed about any emerging exploits or updates from AWS and security communities.