Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3337

CVE-2026-3337: AWS-LC Timing Discrepancy Vulnerability

CVE-2026-3337 is an information disclosure vulnerability in AWS-LC affecting AES-CCM decryption through timing analysis attacks. This post covers the technical details, affected EVP CIPHER APIs, and upgrade guidance.

Published: March 6, 2026

CVE-2026-3337 Overview

CVE-2026-3337 is a timing attack vulnerability in the AES-CCM decryption implementation within AWS-LC (AWS Libcrypto). This cryptographic side-channel vulnerability allows an unauthenticated attacker to potentially determine authentication tag validity through careful timing analysis of the decryption process. The vulnerability represents a significant cryptographic weakness that could undermine the integrity guarantees provided by authenticated encryption.

The impacted implementations are accessible through the EVP CIPHER API, specifically affecting EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm functions. Applications utilizing these cipher implementations may be susceptible to attackers who can measure response times to infer information about cryptographic operations.

Critical Impact

Attackers can exploit observable timing discrepancies during AES-CCM decryption to determine whether authentication tags are valid, potentially enabling forgery attacks or bypassing cryptographic integrity protections in affected applications.

Affected Products

  • AWS-LC versions prior to 1.69.0
  • Applications using EVP_aes_128_ccm cipher implementation
  • Applications using EVP_aes_192_ccm cipher implementation
  • Applications using EVP_aes_256_ccm cipher implementation

Discovery Timeline

  • 2026-03-02 - CVE-2026-3337 published to NVD
  • 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-3337

Vulnerability Analysis

This vulnerability falls under CWE-208 (Observable Timing Discrepancy), a well-known class of side-channel attacks affecting cryptographic implementations. The core issue lies in the AES-CCM decryption routine's non-constant-time behavior when validating authentication tags.

In properly implemented authenticated encryption, the time taken to process valid versus invalid authentication tags should be indistinguishable to an external observer. However, the affected AWS-LC implementations exhibit measurable timing differences during tag validation, creating an observable side channel. An attacker positioned to measure these timing discrepancies—either through network latency measurements or local timing—can systematically probe the decryption process to distinguish between valid and invalid authentication tags.

The network-accessible nature of this vulnerability is particularly concerning, as it enables remote exploitation without authentication. While the attack requires high complexity and precise timing measurements, sophisticated adversaries with the ability to perform repeated queries could exploit this weakness to forge encrypted messages or bypass integrity checks.

Root Cause

The root cause is non-constant-time comparison logic in the AES-CCM authentication tag validation code path within AWS-LC. When comparing the computed authentication tag against the provided tag, the implementation introduces timing variations that correlate with the correctness of the tag bytes. This violates the fundamental principle of constant-time cryptographic operations, which requires that execution time remain independent of secret data or comparison results.

Attack Vector

The attack exploits network-accessible timing discrepancies in the AES-CCM decryption process. An attacker conducts the attack by:

  1. Sending multiple decryption requests with crafted ciphertexts and authentication tags
  2. Measuring the precise response times for each request
  3. Performing statistical analysis to identify timing variations correlated with tag validity
  4. Using the leaked timing information to progressively determine valid authentication tag values

This timing oracle attack can be conducted remotely over a network, though it requires high attack complexity due to the need for precise timing measurements and statistical analysis across many samples. The vulnerability does not require any user interaction or privileges to exploit.

Detection Methods for CVE-2026-3337

Indicators of Compromise

  • Unusual patterns of decryption requests with varying authentication tags from a single source
  • High-frequency requests to endpoints performing AES-CCM decryption operations
  • Statistical anomalies in request patterns suggesting timing oracle exploitation attempts
  • Network traffic analysis showing repeated identical ciphertext submissions with different tags

Detection Strategies

  • Monitor application logs for abnormal volumes of decryption failures from individual clients
  • Implement rate limiting on endpoints that perform authenticated decryption operations
  • Deploy network-level anomaly detection to identify timing attack patterns
  • Review AWS-LC version deployed in production systems against vulnerable versions (< 1.69.0)

Monitoring Recommendations

  • Enable verbose logging for cryptographic operations to track decryption request patterns
  • Configure alerting for elevated rates of authentication tag validation failures
  • Monitor network latency patterns to identify potential timing measurement activity
  • Conduct periodic security audits of applications using AWS-LC EVP CIPHER APIs

How to Mitigate CVE-2026-3337

Immediate Actions Required

  • Upgrade AWS-LC to version 1.69.0 or later immediately
  • Audit all applications to identify usage of EVP_aes_128_ccm, EVP_aes_192_ccm, or EVP_aes_256_ccm
  • Implement additional rate limiting on cryptographic operation endpoints as a defense-in-depth measure
  • Review network architecture to minimize attacker ability to perform precise timing measurements

Patch Information

AWS has released AWS-LC version 1.69.0 which addresses this timing vulnerability with constant-time authentication tag comparison logic. The fix ensures that tag validation operations complete in the same time regardless of whether the tag is valid or invalid, eliminating the observable timing discrepancy.

For detailed patch information and release notes, refer to the GitHub Release v1.69.0 and the AWS Security Bulletin 2026-005. Additional technical details are available in the GitHub Security Advisory GHSA-frmv-5gcm-jwxh.

Note: AWS has stated that customers of AWS services do not need to take action, as AWS-managed infrastructure has been updated. Only applications directly using the AWS-LC library require updates.

Workarounds

  • Consider using alternative authenticated encryption modes (AES-GCM) if upgrading AWS-LC is not immediately feasible
  • Implement application-level timing noise to obscure actual decryption response times
  • Deploy network-level jitter or rate limiting to reduce timing measurement precision
  • Place vulnerable endpoints behind additional authentication to limit attacker access
bash
# Verify AWS-LC version and upgrade
# Check current AWS-LC version in your application dependencies
grep -r "aws-lc" package.json requirements.txt go.mod Cargo.toml

# Update to patched version 1.69.0
# For applications using AWS-LC directly, update your dependency configuration
# to require version >= 1.69.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechAws Lc
  • SeverityHIGH
  • CVSS Score8.2
  • EPSS Probability0.08%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-208
  • Technical References
  • AWS Security Bulletin 2026-005
  • GitHub Release v1.69.0
  • GitHub Security Advisory GHSA-frmv-5gcm-jwxh
  • Latest CVEs
  • CVE-2025-52793: Esselink.nu Settings CSRF Vulnerability
  • CVE-2025-52772: Virtual Moderator CSRF Vulnerability
  • CVE-2025-48279: WC MyParcel Belgium XSS Vulnerability
  • CVE-2025-39381: KiotViet Sync CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English