CVE-2026-4428 is a vulnerability in AWS-LC, an open-source cryptographic library maintained by AWS, affecting versions prior to 1.71.0. The issue stems from a logic error in the validation of certificate revocation lists (CRLs), specifically in handling partitioned CRLs within the CRL distribution points. Partitioned CRLs are subsets of a full CRL used to improve efficiency in revocation checking. The flawed logic causes these partitioned CRLs to be incorrectly classified as out of scope, leading the library to reject them improperly. As a result, revoked certificates listed in these partitioned CRLs can bypass revocation checks, allowing potentially malicious or compromised certificates to be accepted as valid. This undermines the trust model of TLS/SSL communications, potentially enabling man-in-the-middle attacks, unauthorized access, or data interception. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. AWS has fixed this issue in AWS-LC version 1.71.0 and AWS-LC-FIPS-3.3.0. The CVSS v3.1 score of 7.4 reflects the network attack vector, high impact on confidentiality and integrity, and the lack of required privileges or user interaction. No known exploits are reported in the wild as of the publication date. The vulnerability is classified under CWE-299, which relates to improper checks for certificate revocation.

The primary impact of CVE-2026-4428 is the potential acceptance of revoked certificates, which can severely compromise the confidentiality and integrity of communications secured by TLS/SSL using AWS-LC. Attackers could exploit this flaw to impersonate legitimate services, intercept sensitive data, or perform man-in-the-middle attacks without detection. This undermines trust in secure communications, potentially affecting cloud services, APIs, and applications that rely on AWS-LC for cryptographic operations. Organizations using affected AWS-LC versions in their infrastructure or software stacks risk exposure to unauthorized access and data breaches. The vulnerability does not affect availability directly but can lead to significant security breaches. Given AWS-LC's use in cloud environments, the impact can be widespread, affecting enterprises, government agencies, and service providers globally. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

To mitigate CVE-2026-4428, organizations should immediately upgrade AWS-LC to version 1.71.0 or AWS-LC-FIPS-3.3.0, where the logic error in CRL validation is corrected. It is critical to audit all systems and applications that incorporate AWS-LC for TLS/SSL operations to ensure they are not using vulnerable versions. Additionally, organizations should review their certificate revocation checking mechanisms and consider implementing complementary revocation methods such as OCSP (Online Certificate Status Protocol) stapling to reduce reliance on CRLs alone. Monitoring network traffic for suspicious TLS certificates and employing certificate pinning where feasible can provide additional defense layers. Security teams should also update incident response plans to include scenarios involving compromised or revoked certificates bypassing validation. Finally, maintain awareness of updates from AWS and related cryptographic libraries to promptly apply security patches.