RUSTSEC-2026-0048: CRL Distribution Point Scope Check Logic Error in AWS-LC #4499
Description
| Details | |
|---|---|
| Package | aws-lc-sys |
| Version | 0.38.0 |
| URL | https://aws.amazon.com/security/security-bulletins/2026-010-AWS |
| Patched Versions | >=0.39.0 |
| Unaffected Versions | <0.15.0 |
| Aliases | CVE-2026-4428, GHSA-9f94-5g5w-gf6r |
A logic error in CRL distribution point matching in AWS-LC allows a revoked
certificate to bypass revocation checks during certificate validation, when
the application enables CRL checking and uses partitioned CRLs with Issuing
Distribution Point (IDP) extensions.
Customers of AWS services do not need to take action. aws-lc-sys contains
code from AWS-LC. Applications using aws-lc-sys should upgrade to the most
recent release of aws-lc-sys.
Workarounds
Applications can workaround this issue if they do not enable CRL checking
(X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned)
CRLs without IDP extensions are also not affected.
Otherwise, there is no workaround and applications using aws-lc-sys should
upgrade to the most recent releases of aws-lc-sys.