CVE-2026-0989 (LOW): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-0989	LOW	libxml2	2.10.4-1.amzn2023.0.15	2.10.4-1.amzn2023.0.17	2026-01-15T15:15:52.35Z	2026-02-08T10:18:18.781547626Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:b552c8a6a9439ade38fc00160b6827ba73f233865b44c75ca66b7d3069b21bd8
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:b552c8a6a9439ade38fc00160b6827ba73f233865b44c75ca66b7d3069b21bd8
public.ecr.aws/lambda/provided:al2	public.ecr.aws/lambda/provided@sha256:c95bb4740c55b5aed125530d1e4fff4fa54dc2c8c38401255cef1c8fae6f16dd
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:c298670d11e7ef1f2ef63357da84c3dbf5176f25b1e8bac43410c4a8f6626fc0
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:426f35313ef4bd78b9ec159301e619c7708b49b22f47e9525763feb773984984
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:c298670d11e7ef1f2ef63357da84c3dbf5176f25b1e8bac43410c4a8f6626fc0
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:5787d35f17fa738e8409f93e591243e80ab03e614d62bc850c0deca2b1065896
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:474fd1275b70405d2e6aa25701e0aa2c45d651a22d5752f2e4abfa640700e557
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:30c7b8614d0e826edee1d7a98e8d5b96d24758eb71be0d2a4f9747c47afa0321
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:1fe9b37355be76d42678e1ce967437f66a38fb36bc7685c50ee5d05f7bce754b
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:1d103fa43ec950fec9f0a2f678ece499dd58276a45cbbac52e2ae2d8511ac9ab
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:1fe9b37355be76d42678e1ce967437f66a38fb36bc7685c50ee5d05f7bce754b
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:4755182a6b9bbb8d713cb585038a8c100012c03fde73af4136e97ff0506f9f16
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:82e9a3bdee92873a90a65186e987af72f5256a3fbd432dc32d3ed92eb5f1f4e0
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:0d37d120a6dab8b2972e07bcf552c37b1bbb9140ce4f1faa13890f1e5fdb7cef
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:82e9a3bdee92873a90a65186e987af72f5256a3fbd432dc32d3ed92eb5f1f4e0
public.ecr.aws/lambda/java:17	public.ecr.aws/lambda/java@sha256:493cc7d1085a30a8507055d7aa9d46ea846d6921e38895061f5893c5ddfe0f32
public.ecr.aws/lambda/java:11	public.ecr.aws/lambda/java@sha256:f7fe1fa2410e39d2aff9d60e84ee2241276ce238350544627186774b18ba370f
public.ecr.aws/lambda/java:8.al2	public.ecr.aws/lambda/java@sha256:5403b865aa3424b877eac9b82a38e47206de8d3dd4b1ec9603548acfe3f3f42d
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:de9a13b0c6b1aca3e09a91e58bbc53a4ac20075019fb53f64984e1a344acaf32
public.ecr.aws/lambda/dotnet:10	public.ecr.aws/lambda/dotnet@sha256:291f2b667e980bceefc3041dd95941b782a0deb3364bb4c5d1a656451f482e3a
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:de9a13b0c6b1aca3e09a91e58bbc53a4ac20075019fb53f64984e1a344acaf32
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:5aba1ce4e38cf4989df306c981c86b9b1f187d113cbc1d6e211c391d0d94fd62
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:2acb6aa2ac8390e4cd116d6925ef0201afd2aa8954cf471e981c06236a676276
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:2acb6aa2ac8390e4cd116d6925ef0201afd2aa8954cf471e981c06236a676276
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:6a65570479fdb0d7fab7dd755d256b016624678e946c4fbacaade01c0923fb54
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:ff5a94eabd5d931b983da803d38f454332e9627d0b0bde40baaa4293ea97cc7c

---

Description

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

---

Remediation Steps

• Update the affected package libxml2 from version 2.10.4-1.amzn2023.0.15 to 2.10.4-1.amzn2023.0.17.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.