Improper Certificate Validation Affecting aws-lc-sys package, versions >=0.32.0 <0.39.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-AWSLCSYS-15747111
- published22 Mar 2026
- disclosed20 Mar 2026
- creditUnknown
Introduced: 20 Mar 2026
New CVE NOT AVAILABLE CWE-155 (opens in a new tab)How to fix?
Upgrade aws-lc-sys to version 0.39.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Certificate Validation in the cn2dnsid function during certificate validation. An attacker can bypass name constraints enforcement by presenting certificates with wildcard or raw UTF-8 Unicode Common Name values, which are not recognized as valid DNS identifiers, allowing unauthorized certificates to be accepted for hostname verification when no dNSName SAN is present.
Note: This is only exploitable if applications do not set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT and encounter certificates without dNSName SANs.
Workaround
This vulnerability can be mitigated by configuring applications to set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN fallback or by ensuring only certificates with dNSName SANs are accepted.