CVE-2026-9149 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-9149	HIGH	libsolv	0.7.22-1.amzn2023.0.3	0.7.22-1.amzn2023.0.4	2026-05-21T00:16:35.63Z	2026-06-09T10:18:59.124160406Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:fccfd0084b15038fda9771bdaa2b5087004ac6f2376b5a821a38b17df8919454
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:fccfd0084b15038fda9771bdaa2b5087004ac6f2376b5a821a38b17df8919454
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:848e60fa6f070804e1a1b69a1625960ca7bc8c76b2497ca4ce8ac7b71ceda63a
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:1fd5c17964312d7697b658b87a7c3716c7ce3fd7682b281a809dca6ecd274ef6
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:848e60fa6f070804e1a1b69a1625960ca7bc8c76b2497ca4ce8ac7b71ceda63a
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:3558a6f489881115457dee200ad0cdeae7b117a99f94ca23a1b6ee7faa39df07
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:263d7543e1915904b5a09841d61e36285a1f2add466cec8347864079f991adc7
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:d2f2127092839df373e3c05f1798677b5f81cba87f450ad99403d45bf0da93a0
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:263d7543e1915904b5a09841d61e36285a1f2add466cec8347864079f991adc7
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:7e763d8d8a95dc00c0f75c2ca87e38e5223c5775ea48993e5d5cdb24e623f03a
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:cf85a742786fd4e3fdddd1eff744a2d5e26dd8c8fd724b786086822ec0997f4e
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:7e763d8d8a95dc00c0f75c2ca87e38e5223c5775ea48993e5d5cdb24e623f03a
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:568af3219e3946daa0408ea337202c270bcb1cb563e2d661fb047cccca2d93c7
public.ecr.aws/lambda/dotnet:10	public.ecr.aws/lambda/dotnet@sha256:51a92b3840fa572c6c3fe8f43c54f42a70ab88592c7756c44b26b86f4126c053
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:568af3219e3946daa0408ea337202c270bcb1cb563e2d661fb047cccca2d93c7
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:8e92e230e871b19c6705590c45bc658d22c70447d2f7c382b0ec3f5571ab7fb3
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:b343408d0f9cc3899b5a6219a08dedefd60a83112655d14507f8384e56fd4fc3
public.ecr.aws/lambda/ruby:4.0	public.ecr.aws/lambda/ruby@sha256:b343408d0f9cc3899b5a6219a08dedefd60a83112655d14507f8384e56fd4fc3
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:84d971a148a74f25ea4f93ed7176cad0ae14c8861e8944afdd83c91a32240398
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:b627fa0efcf610105b6c864aff86e6d89c1c7c6cf32cade5ef95e53c04a41db7

---

Description

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

---

Remediation Steps

• Update the affected package libsolv from version 0.7.22-1.amzn2023.0.3 to 0.7.22-1.amzn2023.0.4.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.