Skip to content

CVE-2026-27138 (UNKNOWN): detected in Lambda Docker Images. #437

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-27138 UNKNOWN stdlib v1.25.7 1.26.1 2026-03-06T22:16:00.963Z 2026-03-07T10:18:11.197305851Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:latest public.ecr.aws/lambda/provided@sha256:a2c2e2ea773fd480ecc196fa6130d99b3b085bfbdd9b55b054387afd6c67cbf1
public.ecr.aws/lambda/provided:al2023 public.ecr.aws/lambda/provided@sha256:a2c2e2ea773fd480ecc196fa6130d99b3b085bfbdd9b55b054387afd6c67cbf1
public.ecr.aws/lambda/provided:al2 public.ecr.aws/lambda/provided@sha256:20460477de18166b919cfc8d890f03e05f8615670b644567d1616b71e93744d7
public.ecr.aws/lambda/python:latest public.ecr.aws/lambda/python@sha256:9d4188fd11f641450a5c83d6efb2d03642cd34231337bdee1c945e8ffea4da35
public.ecr.aws/lambda/python:3.14 public.ecr.aws/lambda/python@sha256:caf9d11e1da1bb43f1507eebe2761de131545df9da1ab6c1f84dfd17b9260b94
public.ecr.aws/lambda/python:3.13 public.ecr.aws/lambda/python@sha256:9d4188fd11f641450a5c83d6efb2d03642cd34231337bdee1c945e8ffea4da35
public.ecr.aws/lambda/python:3.12 public.ecr.aws/lambda/python@sha256:70739d82cddc070a22f74c6591bb805153ce7a074a2202557a4b6f7cb1e823ff
public.ecr.aws/lambda/python:3.11 public.ecr.aws/lambda/python@sha256:f302b4338be4d4860d644e197b59012d5089c7d9c84b94eafa1a6893f5718012
public.ecr.aws/lambda/python:3.10 public.ecr.aws/lambda/python@sha256:7338af5a6695273dff355a8000753dad8dd91cfcf26565ca5e2ddb53046ea9b5
public.ecr.aws/lambda/nodejs:latest public.ecr.aws/lambda/nodejs@sha256:cf6459f182e22a52e2bfd10576477c3c70f05ab404d8695bc16b6480c7d37505
public.ecr.aws/lambda/nodejs:24 public.ecr.aws/lambda/nodejs@sha256:4f78a2edca6966a4ee0f056562d8510267df8f39c90df00f23d52f0b581cbeeb
public.ecr.aws/lambda/nodejs:22 public.ecr.aws/lambda/nodejs@sha256:cf6459f182e22a52e2bfd10576477c3c70f05ab404d8695bc16b6480c7d37505
public.ecr.aws/lambda/nodejs:20 public.ecr.aws/lambda/nodejs@sha256:5643651ce243fcd5b6209cd5ac348cb2e66a7a9eb8f050c470ad4d19e993c5e4
public.ecr.aws/lambda/java:latest public.ecr.aws/lambda/java@sha256:e0abcc653f07bda767d0294bccba3197a845fcbf3449445c4c32f7e9f917a8c0
public.ecr.aws/lambda/java:25 public.ecr.aws/lambda/java@sha256:a183f72f080b8f62949f7a5810c3c0fafbf9620741c70f47ed215df55b2f52ca
public.ecr.aws/lambda/java:21 public.ecr.aws/lambda/java@sha256:e0abcc653f07bda767d0294bccba3197a845fcbf3449445c4c32f7e9f917a8c0
public.ecr.aws/lambda/java:17 public.ecr.aws/lambda/java@sha256:e0d2355c6cd6f9e83c70aeba77ecdfee51a5d47eeb8f943b5b0487bcfe6a8857
public.ecr.aws/lambda/java:11 public.ecr.aws/lambda/java@sha256:edab224cfa3a88705c112c85820c99bf689072c7b32ca19688830f8f1ab24288
public.ecr.aws/lambda/java:8.al2 public.ecr.aws/lambda/java@sha256:95b8110b178affa75c00c275ee7a4fe2e0236787e68c2baf5cb94849c113887e
public.ecr.aws/lambda/dotnet:latest public.ecr.aws/lambda/dotnet@sha256:706f69f8ae8959386b03cb3fffe3856ff76c5d815486e83d5fcf4b6c3fe54543
public.ecr.aws/lambda/dotnet:10 public.ecr.aws/lambda/dotnet@sha256:d674377cee44a2769af021edfda4785b08c1edd19f095994633372e206a902d4
public.ecr.aws/lambda/dotnet:9 public.ecr.aws/lambda/dotnet@sha256:34858c43c8379048b221e3ba390bf133c63ff20d406002a79b597f6e8513fe5b
public.ecr.aws/lambda/dotnet:8 public.ecr.aws/lambda/dotnet@sha256:706f69f8ae8959386b03cb3fffe3856ff76c5d815486e83d5fcf4b6c3fe54543
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a11924e9291702f606f68b66b813bd7739dcd843af4b9ce6080f35bec1266c5e
public.ecr.aws/lambda/ruby:3.4 public.ecr.aws/lambda/ruby@sha256:a11924e9291702f606f68b66b813bd7739dcd843af4b9ce6080f35bec1266c5e
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:30286263a2c9736d4ec7c30c391572d565d608c994b92a81c54e73c260adf852
public.ecr.aws/lambda/ruby:3.2 public.ecr.aws/lambda/ruby@sha256:b07e4becc1fd67cdd88849c2033b50da4cf0b91e01a2c40eaea4789eaddf393e

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.


Remediation Steps

  • Update the affected package stdlib from version v1.25.7 to 1.26.1.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions