Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Multiple security vulnerabilities affect the ztunnel-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "ztunnel-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.1-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the ztunnel-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-LK63891",
"modified": "2026-03-25T05:12:36Z",
"published": "2026-04-01T09:22:08.586608Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-LK63891.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4428"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2gh3-rmm4-6rq5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-394x-vwmw-crm3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-434x-w66g-qw3r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-65p9-r9h6-22vj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9f94-5g5w-gf6r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hfpc-8r3f-gw53"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwjx-qhcg-rvj4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6v5-fh4h-64xc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rhfx-m35p-ff5j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vw5v-4f2q-w9xf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xwfj-jgwm-7wp5"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4428"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-4428, ghsa-2gh3-rmm4-6rq5, ghsa-394x-vwmw-crm3, ghsa-434x-w66g-qw3r, ghsa-65p9-r9h6-22vj, ghsa-9f94-5g5w-gf6r, ghsa-hfpc-8r3f-gw53, ghsa-pwjx-qhcg-rvj4, ghsa-r6v5-fh4h-64xc, ghsa-rhfx-m35p-ff5j, ghsa-vw5v-4f2q-w9xf, ghsa-xwfj-jgwm-7wp5 applied in versions: 1.28.2-r0, 1.29.0-r0, 1.29.1-r0",
"upstream": [
"CVE-2026-4428",
"ghsa-2gh3-rmm4-6rq5",
"ghsa-394x-vwmw-crm3",
"ghsa-434x-w66g-qw3r",
"ghsa-65p9-r9h6-22vj",
"ghsa-9f94-5g5w-gf6r",
"ghsa-hfpc-8r3f-gw53",
"ghsa-pwjx-qhcg-rvj4",
"ghsa-r6v5-fh4h-64xc",
"ghsa-rhfx-m35p-ff5j",
"ghsa-vw5v-4f2q-w9xf",
"ghsa-xwfj-jgwm-7wp5"
]
}
GHSA-434X-W66G-QW3R
Vulnerability from github – Published: 2026-02-03 19:17 – Updated: 2026-02-05 00:37Details
In the unique reclaim path of BytesMut::reserve, the condition
if v_capacity >= new_cap + offset
uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}
Workarounds
Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.
This vulnerability is also known as RUSTSEC-2026-0007.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "bytes"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.1"
},
{
"fixed": "1.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25541"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T19:17:46Z",
"nvd_published_at": "2026-02-04T22:16:00Z",
"severity": "MODERATE"
},
"details": "# Details\n\nIn the unique reclaim path of `BytesMut::reserve`, the condition\n```rs\nif v_capacity \u003e= new_cap + offset\n```\nuses an unchecked addition. When `new_cap + offset` overflows `usize` in release builds, this condition may incorrectly pass, causing `self.cap` to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as `spare_capacity_mut()` then trust this corrupted `cap` value and may create out-of-bounds slices, leading to UB.\n\nThis behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.\n\n## PoC\n\n```rs\nuse bytes::*;\n\nfn main() {\n let mut a = BytesMut::from(\u0026b\"hello world\"[..]);\n let mut b = a.split_off(5);\n\n // Ensure b becomes the unique owner of the backing storage\n drop(a);\n\n // Trigger overflow in new_cap + offset inside reserve\n b.reserve(usize::MAX - 6);\n\n // This call relies on the corrupted cap and may cause UB \u0026 HBO\n b.put_u8(b\u0027h\u0027);\n}\n```\n\n# Workarounds\n\nUsers of `BytesMut::reserve` are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.\n\nThis vulnerability is also known as [RUSTSEC-2026-0007](https://rustsec.org/advisories/RUSTSEC-2026-0007.html).",
"id": "GHSA-434x-w66g-qw3r",
"modified": "2026-02-05T00:37:18Z",
"published": "2026-02-03T19:17:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25541"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f"
},
{
"type": "PACKAGE",
"url": "https://github.com/tokio-rs/bytes"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/releases/tag/v1.11.1"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "bytes has integer overflow in BytesMut::reserve"
}
GHSA-HFPC-8R3F-GW53
Vulnerability from github – Published: 2026-03-03 20:25 – Updated: 2026-03-25 18:31Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
Patches
The patch is included in v0.38.0
Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.24.0"
},
{
"fixed": "0.38.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:25:39Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact\nImproper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes.\n\nCustomers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n#### Impacted versions: \naws-lc-sys versions: \u003e= 0.24.0, \u003c 0.38.0\n\n### Patches\nThe patch is included in v0.38.0\n\n### Workarounds\nThere is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n### Resources\nIf there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-hfpc-8r3f-gw53",
"modified": "2026-03-25T18:31:14Z",
"published": "2026-03-03T20:25:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-hfpc-8r3f-gw53"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3338"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-lc-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0047.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AWS-LC has PKCS7_verify Signature Validation Bypass"
}
GHSA-394X-VWMW-CRM3
Vulnerability from github – Published: 2026-03-20 20:34 – Updated: 2026-03-20 20:34Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
A logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAME_CONSTRAINTS_check_CN to skip validation. However, X509_check_host accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.
Customers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Impacted versions:
- aws-lc-sys >= v0.32.0, < v0.39.0
Patches
The patch is included in aws-lc-sys v0.39.0.
Workarounds
Applications that set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.
Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Credits
Oleh Konko from 1seal (https://1seal.org/)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.32.0"
},
{
"fixed": "0.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-155",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:34:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact\n\nA logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The `cn2dnsid` function does not recognize these CN patterns as valid DNS identifiers, causing `NAME_CONSTRAINTS_check_CN` to skip validation. However, `X509_check_host` accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.\n\nCustomers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n### Impacted versions:\n\n* aws-lc-sys \u003e= v0.32.0, \u003c v0.39.0\n\n### Patches\n\nThe patch is included in aws-lc-sys v0.39.0.\n\n### Workarounds\n\nApplications that set `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.\n\nOtherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.\n\n### References\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Credits\n\nOleh Konko from 1seal (https://1seal.org/)",
"id": "GHSA-394x-vwmw-crm3",
"modified": "2026-03-20T20:34:59Z",
"published": "2026-03-20T20:34:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-394x-vwmw-crm3"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-lc-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0044.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN"
}
GHSA-RHFX-M35P-FF5J
Vulnerability from github – Published: 2026-01-07 20:38 – Updated: 2026-01-07 20:38Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::next_back methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.
This invalidates the shared pointer held by the internal HashMap, violating Stacked Borrows rules.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "lru"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-07T20:38:57Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Affected versions of this crate contain a soundness issue in the `IterMut` iterator implementation. The `IterMut::next` and `IterMut::next_back` methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.\n\nThis invalidates the shared pointer held by the internal `HashMap`, violating Stacked Borrows rules.",
"id": "GHSA-rhfx-m35p-ff5j",
"modified": "2026-01-07T20:38:57Z",
"published": "2026-01-07T20:38:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jeromefroe/lru-rs/pull/224"
},
{
"type": "PACKAGE",
"url": "https://github.com/jeromefroe/lru-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "`IterMut` violates Stacked Borrows by invalidating internal pointer"
}
GHSA-PWJX-QHCG-RVJ4
Vulnerability from github – Published: 2026-03-20 21:51 – Updated: 2026-03-25 19:56If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
The impact was that correct provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rustls-webpki"
},
"ranges": [
{
"events": [
{
"introduced": "0.102.0-alpha.0"
},
{
"fixed": "0.103.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "rustls-webpki"
},
"ranges": [
{
"events": [
{
"introduced": "0.104.0-alpha.1"
},
{
"fixed": "0.104.0-alpha.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-299"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T21:51:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "If a certificate had more than one `distributionPoint`, then only the first `distributionPoint` would be considered against each CRL\u0027s `IssuingDistributionPoint` `distributionPoint`, and then the certificate\u0027s subsequent `distributionPoint`s would be ignored.\n\nThe impact was that correct provided CRLs would not be consulted to check revocation. With `UnknownStatusPolicy::Deny` (the default) this would lead to incorrect but safe `Error::UnknownRevocationStatus`. With `UnknownStatusPolicy::Allow` this would lead to inappropriate acceptance of revoked certificates.\n\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)\n\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.",
"id": "GHSA-pwjx-qhcg-rvj4",
"modified": "2026-03-25T19:56:38Z",
"published": "2026-03-20T21:51:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rustls/webpki/security/advisories/GHSA-pwjx-qhcg-rvj4"
},
{
"type": "PACKAGE",
"url": "https://github.com/rustls/webpki"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0049.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic"
}
GHSA-2GH3-RMM4-6RQ5
Vulnerability from github – Published: 2025-03-07 20:02 – Updated: 2025-08-01 19:20Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.
This allows an attacker to cause a stack overflow when parsing the message on untrusted data.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53605"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-07T20:02:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.\n\nThis allows an attacker to cause a stack overflow when parsing the message on untrusted data.",
"id": "GHSA-2gh3-rmm4-6rq5",
"modified": "2025-08-01T19:20:19Z",
"published": "2025-03-07T20:02:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53605"
},
{
"type": "WEB",
"url": "https://github.com/stepancheg/rust-protobuf/issues/749"
},
{
"type": "WEB",
"url": "https://github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6"
},
{
"type": "PACKAGE",
"url": "https://github.com/stepancheg/rust-protobuf"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0437.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Crash due to uncontrolled recursion in protobuf crate"
}
GHSA-XWFJ-JGWM-7WP5
Vulnerability from github – Published: 2025-08-29 20:33 – Updated: 2025-09-02 16:35Impact
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
- Manipulate terminal title bars
- Clear screens or modify terminal display
- Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
Patches
tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.
Workarounds
Avoid printing logs to terminal emulators without escaping ANSI control sequences.
References
https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/
Acknowledgments
We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.
If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "tracing-subscriber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58160"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-29T20:33:56Z",
"nvd_published_at": "2025-08-29T22:15:32Z",
"severity": "LOW"
},
"details": "### Impact\n\nPrevious versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:\n\n- Manipulate terminal title bars\n- Clear screens or modify terminal display\n- Potentially mislead users through terminal manipulation\n\nIn isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.\n\n### Patches\n\n`tracing-subscriber` version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.\n\n### Workarounds\n\nAvoid printing logs to terminal emulators without escaping ANSI control sequences.\n\n### References\n\nhttps://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/\n\n\n### Acknowledgments\n\nWe would like to thank [zefr0x](http://github.com/zefr0x) who responsibly reported the issue at `security@tokio.rs`.\n\nIf you believe you have found a security vulnerability in any tokio-rs project, please email us at `security@tokio.rs`.",
"id": "GHSA-xwfj-jgwm-7wp5",
"modified": "2025-09-02T16:35:51Z",
"published": "2025-08-29T20:33:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tokio-rs/tracing/security/advisories/GHSA-xwfj-jgwm-7wp5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58160"
},
{
"type": "PACKAGE",
"url": "https://github.com/tokio-rs/tracing"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0055.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": " Tracing logging user input may result in poisoning logs with ANSI escape sequences"
}
GHSA-9F94-5G5W-GF6R
Vulnerability from github – Published: 2026-03-20 20:35 – Updated: 2026-03-20 20:35Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.
Customers of AWS services do not need to take action. aws-lc-sys and aws-lc-fips-sys contain code from AWS-LC. Applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.
Impacted versions:
- aws-lc-sys >= v0.15.0, < v0.39.0
- aws-lc-fips-sys >= v0.13.0, < v0.13.13
Patches
The patch is included in aws-lc-sys v0.39.0 and aws-lc-fips-sys v0.13.13.
Workarounds
Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.
Otherwise, there is no workaround and applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-fips-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:35:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact \n\nA logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.\n\nCustomers of AWS services do not need to take action. aws-lc-sys and aws-lc-fips-sys contain code from AWS-LC. Applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.\n\n### Impacted versions:\n* aws-lc-sys \u003e= v0.15.0, \u003c v0.39.0\n* aws-lc-fips-sys \u003e= v0.13.0, \u003c v0.13.13\n\n### Patches \n\nThe patch is included in aws-lc-sys v0.39.0 and aws-lc-fips-sys v0.13.13.\n\n### Workarounds\n\nApplications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.\n\nOtherwise, there is no workaround and applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.\n\n### References\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-9f94-5g5w-gf6r",
"modified": "2026-03-20T20:35:14Z",
"published": "2026-03-20T20:35:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-9f94-5g5w-gf6r"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-010-AWS"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-lc-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0042.html"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0048.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "CRL Distribution Point Scope Check Logic Error in AWS-LC"
}
GHSA-R6V5-FH4H-64XC
Vulnerability from github – Published: 2026-02-05 17:57 – Updated: 2026-02-23 22:34Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.
Alternatively, avoiding the format altogether would also ensure that the vulnerability is not encountered. To do this, add
disallowed-types = ["time::format_description::well_known::Rfc2822"]
to your clippy.toml file. This will trigger the clippy::disallowed_types lint, which is warn-by-default and can be explicitly denied.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "time"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.6"
},
{
"fixed": "0.3.47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25727"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T17:57:55Z",
"nvd_published_at": "2026-02-06T20:16:11Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.\n\nAlternatively, avoiding the format altogether would also ensure that the vulnerability is not encountered. To do this, add\n\n```toml\ndisallowed-types = [\"time::format_description::well_known::Rfc2822\"]\n```\n\nto your `clippy.toml` file. This will trigger the `clippy::disallowed_types` lint, which is warn-by-default and can be explicitly denied.",
"id": "GHSA-r6v5-fh4h-64xc",
"modified": "2026-02-23T22:34:23Z",
"published": "2026-02-05T17:57:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25727"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/time-rs/time"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/releases/tag/v0.3.47"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0009.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "time vulnerable to stack exhaustion Denial of Service attack"
}
GHSA-65P9-R9H6-22VJ
Vulnerability from github – Published: 2026-03-03 20:09 – Updated: 2026-03-25 18:26Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.
The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.
Customers of AWS services do not need to take action. aws-lc-sys and aws-lc-fips-sys contain code from AWS-LC. Applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.
Impacted versions:
- aws-lc-sys versions: >= 0.14.0, < 0.38.0
- aws-lc-fips-sys versions: >= v0.13.0, < 0.13.12.
Patches
The patch is included in aws-lc-sys v.0.38.0 and aws-lc-fips-sys v0.13.12.
Workarounds
In the special cases of using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2), applications can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and, EVP_aead_aes_128_ccm_matter respectively.
Otherwise, there is no workaround and applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.
Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via thevulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Acknowledgement
AWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.38.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-fips-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:09:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact\nObservable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis.\n\nThe impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm.\n\nCustomers of AWS services do not need to take action. aws-lc-sys and aws-lc-fips-sys contain code from AWS-LC. Applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.\n\n### Impacted versions: \n - aws-lc-sys versions: \u003e= 0.14.0, \u003c 0.38.0\n - aws-lc-fips-sys versions: \u003e= v0.13.0, \u003c 0.13.12.\n\n### Patches\nThe patch is included in aws-lc-sys v.0.38.0 and aws-lc-fips-sys v0.13.12.\n\n### Workarounds\nIn the special cases of using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2), applications can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and, EVP_aead_aes_128_ccm_matter respectively.\n\nOtherwise, there is no workaround and applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys.\n\n### Resources\nIf there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the[vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Acknowledgement\nAWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.",
"id": "GHSA-65p9-r9h6-22vj",
"modified": "2026-03-25T18:26:08Z",
"published": "2026-03-03T20:09:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-65p9-r9h6-22vj"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3337"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-lc-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0043.html"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS-LC has Timing Side-Channel in AES-CCM Tag Verification"
}
GHSA-VW5V-4F2Q-W9XF
Vulnerability from github – Published: 2026-03-03 20:08 – Updated: 2026-03-25 18:29Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Impacted versions:
aws-lc-sys versions: >= 0.24.0, < 0.38.0
Patches
The patch is included in v0.38.0
Workarounds
There is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Acknowledgement
AWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.24.0"
},
{
"fixed": "0.38.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:08:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact\nImproper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.\n\nCustomers of AWS services do not need to take action. aws-lc-sys contains code from AWS-LC. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n#### Impacted versions: \naws-lc-sys versions: \u003e= 0.24.0, \u003c 0.38.0\n\n### Patches\nThe patch is included in v0.38.0\n\n### Workarounds\nThere is no workaround. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n### Resources\nIf there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Acknowledgement\nAWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.",
"id": "GHSA-vw5v-4f2q-w9xf",
"modified": "2026-03-25T18:29:18Z",
"published": "2026-03-03T20:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-vw5v-4f2q-w9xf"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3336"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-005-AWS"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-lc-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0046.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS-LC has PKCS7_verify Certificate Chain Validation Bypass"
}
CVE-2026-4428 (GCVE-0-2026-4428)
Vulnerability from cvelistv5 – Published: 2026-03-19 20:37 – Updated: 2026-03-25 14:13- CWE-299 - Improper check for certificate revocation
| URL | Tags | |
|---|---|---|
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| AWS | AWS-LC |
Affected:
1.24.0 , < 1.71.0
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:13:28.437867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:13:42.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AWS-LC",
"vendor": "AWS",
"versions": [
{
"lessThan": "1.71.0",
"status": "affected",
"version": "1.24.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "AWS-LC-FIPS",
"vendor": "AWS",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.\u003cbr\u003e\u003cbr\u003eTo remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.\u003c/p\u003e"
}
],
"value": "A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.\n\nTo remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-299",
"description": "CWE-299 Improper check for certificate revocation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T20:40:06.587Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-010-AWS/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/aws/aws-lc/releases/tag/v1.71.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CRL Distribution Point Scope Check Logic Error in AWS-LC",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-4428",
"datePublished": "2026-03-19T20:37:53.851Z",
"dateReserved": "2026-03-19T13:42:59.783Z",
"dateUpdated": "2026-03-25T14:13:42.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.