CVE-2026-4428: CWE-299 Improper check for certificate revocation in AWS AWS-LC
CVE-2026-4428 is a high-severity vulnerability in AWS-LC versions prior to 1.71.0 caused by a logic error in the validation of certificate revocation list (CRL) distribution points. This flaw leads to partitioned CRLs being incorrectly rejected as out of scope, which allows revoked certificates to bypass revocation checks. The vulnerability affects AWS-LC version 1.24.0 and earlier. A fix is available by upgrading to AWS-LC version 1.71.0 or later.
AI Analysis
Technical Summary
CVE-2026-4428 is a vulnerability in AWS-LC before version 1.71.0 involving improper validation of CRL distribution points due to a logic error. This causes partitioned CRLs to be mistakenly treated as out of scope, allowing revoked certificates to bypass revocation checks. The issue affects AWS-LC versions including 1.24.0. The vulnerability is classified under CWE-299 (Improper Check for Certificate Revocation). The CVSS 3.1 base score is 7.4 with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity. The vendor has released a fix in AWS-LC version 1.71.0.
Potential Impact
The vulnerability allows revoked certificates to bypass revocation checks due to incorrect handling of partitioned CRLs. This can lead to acceptance of revoked certificates, potentially compromising confidentiality and integrity of communications relying on AWS-LC for certificate validation. There are no reports of known exploits in the wild.
Mitigation Recommendations
A fix is available by upgrading AWS-LC to version 1.71.0 or later. Users of affected versions should apply this update to resolve the vulnerability. Since this is a library, ensure that all dependent applications and services are rebuilt or updated accordingly. Patch status is confirmed by the vendor advisory indicating the fix is included in version 1.71.0.
CVE-2026-4428: CWE-299 Improper check for certificate revocation in AWS AWS-LC
Description
CVE-2026-4428 is a high-severity vulnerability in AWS-LC versions prior to 1.71.0 caused by a logic error in the validation of certificate revocation list (CRL) distribution points. This flaw leads to partitioned CRLs being incorrectly rejected as out of scope, which allows revoked certificates to bypass revocation checks. The vulnerability affects AWS-LC version 1.24.0 and earlier. A fix is available by upgrading to AWS-LC version 1.71.0 or later.
CVSS v3.1
Score 7.4high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4428 is a vulnerability in AWS-LC before version 1.71.0 involving improper validation of CRL distribution points due to a logic error. This causes partitioned CRLs to be mistakenly treated as out of scope, allowing revoked certificates to bypass revocation checks. The issue affects AWS-LC versions including 1.24.0. The vulnerability is classified under CWE-299 (Improper Check for Certificate Revocation). The CVSS 3.1 base score is 7.4 with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity. The vendor has released a fix in AWS-LC version 1.71.0.
Potential Impact
The vulnerability allows revoked certificates to bypass revocation checks due to incorrect handling of partitioned CRLs. This can lead to acceptance of revoked certificates, potentially compromising confidentiality and integrity of communications relying on AWS-LC for certificate validation. There are no reports of known exploits in the wild.
Mitigation Recommendations
A fix is available by upgrading AWS-LC to version 1.71.0 or later. Users of affected versions should apply this update to resolve the vulnerability. Since this is a library, ensure that all dependent applications and services are rebuilt or updated accordingly. Patch status is confirmed by the vendor advisory indicating the fix is included in version 1.71.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-03-19T13:42:59.783Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bc6600e32a4fbe5ff98437
Added to database: 3/19/2026, 9:09:20 PM
Last enriched: 6/5/2026, 7:30:10 PM
Last updated: 6/18/2026, 12:19:04 PM
Views: 227
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.