AI Platform AISLE Uncovers 13 Vulnerabilities in Amazon's Cryptographic Libraries AWS-LC and s2n-TLS
Key Takeaways
- ▸AISLE's AI analyzer discovered 13 vulnerabilities across AWS-LC and s2n-TLS, Amazon's core cryptographic libraries used across AWS services and major open-source projects
- ▸Three CVEs were assigned, including a critical certificate chain validation flaw that only verified the last signer instead of all signers in PKCS#7 signatures
- ▸All vulnerabilities have been patched with no impact to AWS cloud services, though customers directly using these libraries should upgrade immediately
Summary
Security research firm AISLE has discovered 13 security vulnerabilities in Amazon's core cryptographic stack, specifically in AWS-LC and s2n-TLS libraries. Using their autonomous AI analyzer, AISLE identified eight issues in AWS-LC and five in s2n-TLS, with three receiving CVE assignments including CVE-2026-3336, CVE-2026-3337, and CVE-2026-3338. The vulnerabilities ranged from logic bugs to classic memory management issues, including a critical flaw in PKCS7_verify that only validated the last signer in certificate chains rather than all signers. AWS-LC serves as Amazon's recommended cryptographic library across all services and is widely adopted in open-source projects like HAProxy, Python, and NGINX.
AWS has confirmed that all identified issues have been addressed and no AWS cloud services were impacted. The company stated that customers using AWS cloud services require no action, though those directly integrating these libraries should upgrade to the latest releases. This discovery follows AISLE's January report of 12 vulnerabilities in OpenSSL, including a critical severity CVE, demonstrating the platform's capability to identify security flaws in widely-used cryptographic libraries. The findings included memory management issues, divide-by-zero errors, type confusions, use-after-frees, and various logic bugs.
The most significant vulnerability, CVE-2026-3336, affected the PKCS7_verify function which incorrectly validated only the last certificate signer in a chain instead of verifying each signer sequentially. Other notable issues included a non-constant-time tag verification in AES-CCM (CVE-2026-3337) and an attacker-controlled over-allocation vulnerability in s2n-TLS's PrefixedList implementation. Amazon acknowledged AISLE's responsible disclosure process and expressed interest in continued collaboration to protect customers and the broader industry.
- The discovery demonstrates AI's growing capability in automated security analysis, following AISLE's previous identification of 12 OpenSSL vulnerabilities
Editorial Opinion
AISLE's consecutive discoveries in OpenSSL and now AWS-LC represent a significant validation of AI-powered security analysis for critical infrastructure. The fact that these widely-audited cryptographic libraries—used by millions of applications—still harbored exploitable flaws suggests traditional security methods may be missing systematic vulnerability patterns that AI can detect. However, the relatively low-severity nature of most findings (only 3 of 13 received CVEs) also highlights that while AI excels at finding edge cases and logic errors, the most critical vulnerabilities may still require human insight to contextualize real-world exploitability.
