GHSA-394X-VWMW-CRM3

Vulnerability from github – Published: 2026-03-20 20:34 – Updated: 2026-03-20 20:34
VLAI?
Summary
AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN
Details

Summary

AWS-LC is an open-source, general-purpose cryptographic library.

Impact

A logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAME_CONSTRAINTS_check_CN to skip validation. However, X509_check_host accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.

Customers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Impacted versions:

  • aws-lc-sys >= v0.32.0, < v0.39.0

Patches

The patch is included in aws-lc-sys v0.39.0.

Workarounds

Applications that set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.

References

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Credits

Oleh Konko from 1seal (https://1seal.org/)

Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "aws-lc-sys"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0"
            },
            {
              "fixed": "0.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-155",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:34:59Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAWS-LC is an open-source, general-purpose cryptographic library.\n\n### Impact\n\nA logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The `cn2dnsid` function does not recognize these CN patterns as valid DNS identifiers, causing `NAME_CONSTRAINTS_check_CN` to skip validation. However, `X509_check_host` accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.\n\nCustomers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.\n\n### Impacted versions:\n\n* aws-lc-sys \u003e= v0.32.0, \u003c v0.39.0\n\n### Patches\n\nThe patch is included in aws-lc-sys v0.39.0.\n\n### Workarounds\n\nApplications that set `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.\n\nOtherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.\n\n### References\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Credits\n\nOleh Konko from 1seal (https://1seal.org/)",
  "id": "GHSA-394x-vwmw-crm3",
  "modified": "2026-03-20T20:34:59Z",
  "published": "2026-03-20T20:34:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-394x-vwmw-crm3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-lc-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0044.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.