CVE-2026-4428 in AWS-LC
Summary
by MITRE • 03/20/2026
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks.
To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-4428 represents a critical logic error within the Certificate Revocation List (CRL) distribution point validation mechanism of AWS-LC cryptographic library. This flaw affects versions prior to 1.71.0 and specifically targets the validation process that determines whether a CRL is within the scope of a certificate's revocation checking. The issue stems from an improper handling of partitioned CRLs where the library incorrectly rejects valid CRLs as being out of scope, creating a scenario where revoked certificates may not be properly identified and rejected during certificate validation processes.
The technical implementation of this vulnerability manifests in the CRL validation logic where AWS-LC fails to correctly interpret partitioned CRL structures that are legitimately distributed across multiple locations or partitions. This misinterpretation occurs during the distribution point validation phase where the library should verify that a CRL is accessible and appropriate for the certificate being validated. When a CRL is partitioned across multiple distribution points or when the validation logic encounters a CRL structure that doesn't conform to the library's expected format, the validation process incorrectly classifies the CRL as out of scope rather than properly handling the partitioned structure. This error falls under CWE-252, which encompasses improper validation of certificate revocation information, and specifically relates to the improper handling of certificate validation logic in cryptographic libraries.
The operational impact of this vulnerability is significant as it creates a bypass mechanism for certificate revocation checks that could allow malicious actors to exploit the weakness in certificate validation. When a certificate is revoked but the CRL validation fails due to the partitioned CRL rejection, the revoked certificate may continue to be accepted as valid by systems relying on AWS-LC for cryptographic operations. This vulnerability directly impacts the trust model of certificate-based security systems and could potentially enable man-in-the-middle attacks or other cryptographic bypasses where compromised certificates continue to be trusted. The issue aligns with ATT&CK technique T1556.002 which covers credential manipulation through certificate validation bypasses, and represents a fundamental failure in the certificate validation pipeline that undermines the security of TLS connections, code signing, and other cryptographic operations that depend on proper revocation checking.
The remediation process requires upgrading to AWS-LC version 1.71.0 or AWS-LC-FIPS-3.3.0, which includes corrected validation logic for CRL distribution points. This upgrade addresses the core issue by implementing proper handling of partitioned CRL structures and ensuring that valid CRLs are correctly recognized as within scope regardless of their partitioning structure. Organizations should also conduct comprehensive testing of their cryptographic implementations to ensure that the upgrade does not introduce compatibility issues with existing certificate validation workflows. System administrators should verify that all systems using AWS-LC for certificate validation are updated and that certificate validation processes continue to function correctly after the upgrade. The fix demonstrates proper certificate validation implementation that aligns with industry standards for PKI certificate handling and ensures that revoked certificates are properly identified and rejected during cryptographic validation processes.