{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3337", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-02-27T15:16:28.371Z", "datePublished": "2026-03-02T21:20:08.532Z", "dateUpdated": "2026-03-03T20:04:27.577Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "AWS-LC", "vendor": "AWS", "versions": [{"lessThan": "1.69.0", "status": "affected", "version": "1.21.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "AWS-LC-FIPS", "vendor": "AWS", "versions": [{"lessThan": "3.2.0", "status": "affected", "version": "3.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.</p><p><br></p><p>The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.</p><p><br></p><p>Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.</p><br>"}], "value": "Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.\n\n\n\n\nThe impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.\n\n\n\n\nCustomers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0."}], "impacts": [{"capecId": "CAPEC-462", "descriptions": [{"lang": "en", "value": "CAPEC-462 (Cross-Domain Search Timing)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 (Observable Timing Discrepancy)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-03-02T22:14:33.074Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS/"}, {"tags": ["patch"], "url": "https://github.com/aws/aws-lc/releases/tag/v1.69.0"}, {"tags": ["third-party-advisory"], "url": "https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh"}], "source": {"discovery": "UNKNOWN"}, "title": "Timing Side-Channel in AES-CCM Tag Verification in AWS-LC", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:03:12.007267Z", "id": "CVE-2026-3337", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:04:27.577Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:03:12.007267Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:03:15.485Z"}}], "cna": {"title": "Timing Side-Channel in AES-CCM Tag Verification in AWS-LC", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-462", "descriptions": [{"lang": "en", "value": "CAPEC-462 (Cross-Domain Search Timing)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AWS", "product": "AWS-LC", "versions": [{"status": "affected", "version": "1.21.0", "lessThan": "1.69.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "AWS", "product": "AWS-LC-FIPS", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.2.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/aws/aws-lc/releases/tag/v1.69.0", "tags": ["patch"]}, {"url": "https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.\n\n\n\n\nThe impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.\n\n\n\n\nCustomers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.</p><p><br></p><p>The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.</p><p><br></p><p>Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 (Observable Timing Discrepancy)"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-03-02T22:14:33.074Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3337", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:04:27.577Z", "dateReserved": "2026-02-27T15:16:28.371Z", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "datePublished": "2026-03-02T21:20:08.532Z", "assignerShortName": "AMZN"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws-lc-fips-sys:*:*:*:*:*:rust:*:*", "matchCriteriaId": "71BBCE97-9AF7-49FD-87CB-7E8A79C23157", "versionEndExcluding": "0.13.12", "versionStartIncluding": "0.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:aws-lc-sys:*:*:*:*:*:rust:*:*", "matchCriteriaId": "43114A7E-C07A-43A3-B8C8-A34D3E970371", "versionEndExcluding": "0.38.0", "versionStartIncluding": "0.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", "matchCriteriaId": "1ECDEEC4-7875-4EBE-B197-00D4F831897E", "versionEndExcluding": "1.69.0", "versionStartIncluding": "1.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:fips:*:*:*", "matchCriteriaId": "0AA70D44-F3B1-41E0-9916-40B9D8C7AD9A", "versionEndExcluding": "3.2.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.\n\n\n\n\nThe impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.\n\n\n\n\nCustomers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0."}, {"lang": "es", "value": "Una discrepancia de temporizaci\u00f3n observable en el descifrado AES-CCM en AWS-LC permite a un usuario no autenticado determinar potencialmente la validez de la etiqueta de autenticaci\u00f3n mediante an\u00e1lisis de temporizaci\u00f3n.\n\nLas implementaciones afectadas son a trav\u00e9s de la API EVP CIPHER: EVP_aes_128_ccm, EVP_aes_192_ccm y EVP_aes_256_ccm.\n\nLos clientes de los servicios de AWS no necesitan tomar ninguna medida. Las aplicaciones que utilizan AWS-LC deber\u00edan actualizar a la versi\u00f3n 1.69.0 de AWS-LC."}], "id": "CVE-2026-3337", "lastModified": "2026-03-11T17:14:55.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-03-02T22:16:32.093", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/aws/aws-lc/releases/tag/v1.69.0"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{"bugzilla": {"description": "aws-lc: AWS-LC: Information disclosure via timing discrepancy in AES-CCM decryption", "id": "2444024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444024"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-208", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3337", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-monitor-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-operator-bundle", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-podvm-builder-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-rhel9-operator", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "clevis-pin-trustee", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "trustee", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "clevis-pin-trustee", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "kata-containers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_update_service:5", "fix_state": "Fix deferred", "package_name": "openshift-update-service/openshift-update-service-rhel8", "product_name": "Red Hat OpenShift Update Service"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/tuffer-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/tuftool-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Fix deferred", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2026-03-02T21:20:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3337\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3337\nhttps://aws.amazon.com/security/security-bulletins/2026-005-AWS/\nhttps://github.com/aws/aws-lc/releases/tag/v1.69.0"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.21.0,1.69.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AWS-LC", "source": "cna", "vendor": "AWS"}, "product": "aws-lc", "vendor": "aws"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AWS-LC-FIPS", "source": "cna", "vendor": "AWS"}, "product": "aws-lc-fips", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-17T13:28:28.562734+00:00", "value": {"mitigation_remediation": ["Upgrade to AWS\u2011LC version\u202f1.69.0 or later.", "Rebuild and deploy all applications that utilize the EVP AES CCM APIs against the updated library.", "Validate that the update eliminates the timing vulnerability through regression tests or side\u2011channel analysis if possible."], "summary": {"action": "Immediate Patch", "impact": "Timing side\u2011channel during AES\u2011CCM tag verification"}, "threat_synthesis": {"affected_systems": "All versions of AWS\u2011LC and AWS\u2011LC\u2011FIPS that expose the EVP AES CCM APIs \u2013 specifically EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm \u2013 are impacted. The vulnerability is mitigated in AWS\u2011LC release\u202f1.69.0 and later; earlier releases remain vulnerable.", "description_and_impact": "A timing discrepancy exists in the AES\u2011CCM decryption process of AWS\u2011LC that allows an attacker to infer whether an authentication tag is valid by measuring decryption time. Because the tag verification step is conditioned on the authentication result, the observed latency leaks sensitive state, potentially allowing an attacker to infer authentication tag validity.", "risk_and_exploitability": "The CVSS score of 8.2 classifies this as a high\u2011severity flaw, but the EPSS score of less than 1\u202f% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this weakness remotely by sending crafted ciphertexts to the decryption routine and timing responses. Detection of the vulnerability requires a side\u2011channel timing attack rather than code execution. The lack of an existing workaround means that patching is the only viable defense."}}}}, "created": "2026-03-03T08:40:56.372973+00:00", "updated": "2026-04-17T13:30:19.608542+00:00", "vendors": ["aws", "aws$PRODUCT$aws-lc", "aws$PRODUCT$aws-lc-fips"]}