Nixpkgs security tracker

Permalink CVE-2026-4428

7.4 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month ago Activity log

Created suggestion 1 month ago

CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point validation in AWS-LC before 1.71.0 causes partitioned CRLs to be incorrectly rejected as out of scope, which allows a revoked certificate to bypass certificate revocation checks. To remediate this issue, users should upgrade to AWS-LC 1.71.0 or AWS-LC-FIPS-3.3.0.

References

https://aws.amazon.com/security/security-bulletins/2026-010-AWS/ vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.71.0 patch

Affected products

AWS-LC

<1.71.0

AWS-LC-FIPS

<3.3.0

Matching in nixpkgs

pkgs.aws-lc

General-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers

nixos-unstable 1.69.0
- nixpkgs-unstable 1.69.0
- nixos-unstable-small 1.69.0
nixos-25.11 1.65.0
- nixos-25.11-small 1.65.0
- nixpkgs-25.11-darwin 1.65.0

Package maintainers

@theoparis Theo Paris <theo@tinted.dev>

Permalink CVE-2026-3337

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0 patch
https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh third-party-advisory

Affected products

AWS-LC

<1.69.0

AWS-LC-FIPS

<3.2.0

Matching in nixpkgs

pkgs.aws-lc

General-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers

nixos-unstable 1.67.0
- nixpkgs-unstable 1.67.0
- nixos-unstable-small 1.67.0
nixos-25.11 1.65.0
- nixos-25.11-small 1.65.0
- nixpkgs-25.11-darwin 1.65.0

Package maintainers

@theoparis Theo Paris <theo@tinted.dev>

Permalink CVE-2026-3336

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0 patch
https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp third-party-advisory

Affected products

AWS-LC

<1.69.0

Matching in nixpkgs

pkgs.aws-lc

General-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers

nixos-unstable 1.67.0
- nixpkgs-unstable 1.67.0
- nixos-unstable-small 1.67.0
nixos-25.11 1.65.0
- nixos-25.11-small 1.65.0
- nixpkgs-25.11-darwin 1.65.0

Package maintainers

@theoparis Theo Paris <theo@tinted.dev>

Permalink CVE-2026-3338

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

PKCS7_verify Signature Validation Bypass in AWS-LC

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.

References

https://aws.amazon.com/security/security-bulletins/2026-005-AWS/ vendor-advisory
https://github.com/aws/aws-lc/releases/tag/v1.69.0 patch
https://github.com/aws/aws-lc/security/advisories/GHSA-jchq-39cv-q4wj third-party-advisory

Affected products

AWS-LC

<1.69.0

Matching in nixpkgs

pkgs.aws-lc

General-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers

nixos-unstable 1.67.0
- nixpkgs-unstable 1.67.0
- nixos-unstable-small 1.67.0
nixos-25.11 1.65.0
- nixos-25.11-small 1.65.0
- nixpkgs-25.11-darwin 1.65.0

Package maintainers

@theoparis Theo Paris <theo@tinted.dev>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.aws-lc

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.aws-lc

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.aws-lc

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.aws-lc

Package maintainers