CVE-2026-4428: Improper Check for Certificate Revocation in AWS-LC
Vulnerability ID: CVE-2026-4428
CVSS Score: 7.4
Published: 2026-03-19
AWS-LC and AWS-LC-FIPS contain a logic error in the validation of X.509 Certificate Revocation Lists (CRLs). When partitioned CRLs with Issuing Distribution Point (IDP) extensions are used, a bug in the distribution point scope evaluation causes the CRL to be improperly rejected. This failure allows revoked certificates to bypass revocation checks and establish trusted sessions.
TL;DR
A logic error in AWS-LC's CRL validation allows revoked certificates using partitioned CRLs to bypass security checks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-299
- Attack Vector: Network
- CVSS Base Score: 7.4
- Impact: High Confidentiality, High Integrity
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- AWS-LC
- AWS-LC-FIPS
- Applications utilizing AWS-LC for X.509 validation
-
AWS-LC: 1.24.0 to < 1.71.0 (Fixed in:
1.71.0) -
AWS-LC-FIPS: 3.0.0 to < 3.3.0 (Fixed in:
3.3.0)
Code Analysis
Commit: 4738958
Fix CRL distribution point scope check logic error by decoupling unsupported field checks from URI matching.
Mitigation Strategies
- Upgrade AWS-LC to version 1.71.0 or later
- Upgrade AWS-LC-FIPS to version 3.3.0 or later
- Reconfigure CAs to issue full, non-partitioned CRLs without Issuing Distribution Point extensions as a temporary workaround
Remediation Steps:
- Identify all applications and services compiling against or linking to AWS-LC or AWS-LC-FIPS.
- Update the dependency manager or build environment to target AWS-LC 1.71.0 / AWS-LC-FIPS 3.3.0.
- Recompile statically linked applications to embed the patched library.
- Deploy updated shared objects and restart dynamically linked services to load the patched library into memory.
References
Read the full report for CVE-2026-4428 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)