CVE-2026-9150 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-9150	HIGH	libsolv	0.7.22-1.amzn2023.0.3	0.7.22-1.amzn2023.0.4	2026-05-20T23:16:36.01Z	2026-06-09T10:18:59.124160406Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:fccfd0084b15038fda9771bdaa2b5087004ac6f2376b5a821a38b17df8919454
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:fccfd0084b15038fda9771bdaa2b5087004ac6f2376b5a821a38b17df8919454
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:848e60fa6f070804e1a1b69a1625960ca7bc8c76b2497ca4ce8ac7b71ceda63a
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:1fd5c17964312d7697b658b87a7c3716c7ce3fd7682b281a809dca6ecd274ef6
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:848e60fa6f070804e1a1b69a1625960ca7bc8c76b2497ca4ce8ac7b71ceda63a
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:3558a6f489881115457dee200ad0cdeae7b117a99f94ca23a1b6ee7faa39df07
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:263d7543e1915904b5a09841d61e36285a1f2add466cec8347864079f991adc7
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:d2f2127092839df373e3c05f1798677b5f81cba87f450ad99403d45bf0da93a0
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:263d7543e1915904b5a09841d61e36285a1f2add466cec8347864079f991adc7
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:7e763d8d8a95dc00c0f75c2ca87e38e5223c5775ea48993e5d5cdb24e623f03a
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:cf85a742786fd4e3fdddd1eff744a2d5e26dd8c8fd724b786086822ec0997f4e
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:7e763d8d8a95dc00c0f75c2ca87e38e5223c5775ea48993e5d5cdb24e623f03a
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:568af3219e3946daa0408ea337202c270bcb1cb563e2d661fb047cccca2d93c7
public.ecr.aws/lambda/dotnet:10	public.ecr.aws/lambda/dotnet@sha256:51a92b3840fa572c6c3fe8f43c54f42a70ab88592c7756c44b26b86f4126c053
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:568af3219e3946daa0408ea337202c270bcb1cb563e2d661fb047cccca2d93c7
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:8e92e230e871b19c6705590c45bc658d22c70447d2f7c382b0ec3f5571ab7fb3
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:b343408d0f9cc3899b5a6219a08dedefd60a83112655d14507f8384e56fd4fc3
public.ecr.aws/lambda/ruby:4.0	public.ecr.aws/lambda/ruby@sha256:b343408d0f9cc3899b5a6219a08dedefd60a83112655d14507f8384e56fd4fc3
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:84d971a148a74f25ea4f93ed7176cad0ae14c8861e8944afdd83c91a32240398
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:b627fa0efcf610105b6c864aff86e6d89c1c7c6cf32cade5ef95e53c04a41db7

---

Description

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

---

Remediation Steps

• Update the affected package libsolv from version 0.7.22-1.amzn2023.0.3 to 0.7.22-1.amzn2023.0.4.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.