CVE-2026-4428
HIGH7.4EPSS 0.03%CRL Distribution Point Scope Check Logic Error in AWS-LC
描述
A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions. Customers of AWS services do not need to take action. `aws-lc-sys` contains code from AWS-LC. Applications using `aws-lc-sys` should upgrade to the most recent release of `aws-lc-sys`. ## Workarounds Applications can workaround this issue if they do not enable CRL checking (`X509_V_FLAG_CRL_CHECK`). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected. Otherwise, there is no workaround and applications using `aws-lc-sys` should upgrade to the most recent releases of `aws-lc-sys`.
受影響套件(4)
- crates.io/aws-lc-fips-sys>= 0.13.0, < 0.13.13
- crates.io/aws-lc-fips-sys>= 0.13.0, < 0.13.13
- crates.io/aws-lc-sys>= 0.15.0, < 0.39.0
- crates.io/aws-lc-sys>= 0.15.0, < 0.39.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
參考連結(7)
- PATCHhttps://crates.io/crates/aws-lc-fips-sys
- PATCHhttps://crates.io/crates/aws-lc-sys
- PATCHhttps://github.com/aws/aws-lc-rs
- WEBhttps://aws.amazon.com/security/security-bulletins/2026-010-AWS
- WEBhttps://github.com/aws/aws-lc-rs/security/advisories/GHSA-9f94-5g5w-gf6r
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0042.html
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0048.html