GHSA-394x-vwmw-crm3
Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
A logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAMECONSTRAINTScheck_CN to skip validation. However, X509checkhost accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.
Customers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Impacted versions:
- aws-lc-sys >= v0.32.0, < v0.39.0
Patches
The patch is included in aws-lc-sys v0.39.0.
Workarounds
Applications that set X509CHECKFLAGNEVERCHECK_SUBJECT to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.
Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Credits
Oleh Konko from 1seal (https://1seal.org/)
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/aws/aws-lc-rs/security/advisories/GHSA-394x-vwmw-crm3, https://github.com/aws/aws-lc-rs, https://rustsec.org/advisories/RUSTSEC-2026-0044.html
Basic Information
