Skip to content

CVE-2026-39824 (UNKNOWN): detected in Lambda Docker Images. #574

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-39824 UNKNOWN golang.org/x/sys v0.21.0 0.44.0 2026-05-22T20:16:33.057Z 2026-06-23T10:18:50.836877684Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:latest public.ecr.aws/lambda/provided@sha256:26136a72871f0d0f9948a98a4568010b3aa210cd7bcb7dd6b51b606fe743b79a
public.ecr.aws/lambda/provided:al2023 public.ecr.aws/lambda/provided@sha256:26136a72871f0d0f9948a98a4568010b3aa210cd7bcb7dd6b51b606fe743b79a
public.ecr.aws/lambda/provided:al2 public.ecr.aws/lambda/provided@sha256:22008d499f4c6eca7786139fe7d69530d0cc94027bf1e74f5316182a761ca86c
public.ecr.aws/lambda/python:latest public.ecr.aws/lambda/python@sha256:044c120ac73fd263df0e1eeb8b2938a8b7038c8f045747091ee21f60eef38615
public.ecr.aws/lambda/python:3.14 public.ecr.aws/lambda/python@sha256:10caad75cac688d8a8773f2ea2ec0aa6a3940a3d7d5716b8a3ccb5c2bc636c88
public.ecr.aws/lambda/python:3.13 public.ecr.aws/lambda/python@sha256:044c120ac73fd263df0e1eeb8b2938a8b7038c8f045747091ee21f60eef38615
public.ecr.aws/lambda/python:3.12 public.ecr.aws/lambda/python@sha256:e5d193e114642db0aefc860339bcfa80a20b3c6e1c178592c9da060b940808fc
public.ecr.aws/lambda/python:3.11 public.ecr.aws/lambda/python@sha256:50d53b611032d45ac77fe94cc06e2bf5f6654be8a5f14070b15a1e1dfabf667d
public.ecr.aws/lambda/python:3.10 public.ecr.aws/lambda/python@sha256:3b9bc56af97d65c7fe9b41f2fca788531de849e5a68acc9d0126b3f6e685cd2f
public.ecr.aws/lambda/nodejs:latest public.ecr.aws/lambda/nodejs@sha256:893686cc8a6ea6ddb41b96d094c5da6a3be66808dda7156d95285b33055b7551
public.ecr.aws/lambda/nodejs:24 public.ecr.aws/lambda/nodejs@sha256:904f7a98db07d37b59bf7edd90ed97bbba1cb574fd86db462205c68cfc55486c
public.ecr.aws/lambda/nodejs:22 public.ecr.aws/lambda/nodejs@sha256:893686cc8a6ea6ddb41b96d094c5da6a3be66808dda7156d95285b33055b7551
public.ecr.aws/lambda/java:latest public.ecr.aws/lambda/java@sha256:73bfcfb287179441c225c3fd4cf281655abfe84b66ae336d97c56080a29d8f29
public.ecr.aws/lambda/java:25 public.ecr.aws/lambda/java@sha256:bdf90c0a3e157b7f34639f4645010303ef034d1548a8f98af7daf4c55fa1ab9b
public.ecr.aws/lambda/java:21 public.ecr.aws/lambda/java@sha256:73bfcfb287179441c225c3fd4cf281655abfe84b66ae336d97c56080a29d8f29
public.ecr.aws/lambda/java:17 public.ecr.aws/lambda/java@sha256:ae3eb35fe4cc0a0d3af84b32e404a52531a6b9089080752b7939d1374fc69e8d
public.ecr.aws/lambda/java:11 public.ecr.aws/lambda/java@sha256:9288f2fad06634633960606a7687527f2290ff69ef1339442e298653f404d6b6
public.ecr.aws/lambda/java:8.al2 public.ecr.aws/lambda/java@sha256:4938485af38f8226f899ed8d32216f3a4ca8560fc76484c4af12143b359c792f
public.ecr.aws/lambda/dotnet:latest public.ecr.aws/lambda/dotnet@sha256:e4b0bd551f9797fd59c8593b1d54cf159f3738fe0542b585253f9aa996b7756c
public.ecr.aws/lambda/dotnet:10 public.ecr.aws/lambda/dotnet@sha256:3ec97320c51f150aa53652bc3fd3287fb228b61079245d9be305a6987ff50df8
public.ecr.aws/lambda/dotnet:9 public.ecr.aws/lambda/dotnet@sha256:e4b0bd551f9797fd59c8593b1d54cf159f3738fe0542b585253f9aa996b7756c
public.ecr.aws/lambda/dotnet:8 public.ecr.aws/lambda/dotnet@sha256:9c7bacbc551a7b7b8d8bbea3a7407bd7053e881f9d039f6e25e1c7c58a2ddd0c
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:4.0 public.ecr.aws/lambda/ruby@sha256:deb470c7a55238628917444f3c4e7ad012ddab25cb22b072a38e5f16f8e5628e
public.ecr.aws/lambda/ruby:3.4 public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:b1c634bf4af56649719a79ad3bbafd9bbd94384d2b2170f44dc84ed59bea1368

Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.


Remediation Steps

  • Update the affected package golang.org/x/sys from version v0.21.0 to 0.44.0.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions