CVE-2026-40355 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-40355	MEDIUM	krb5-libs	1.21.3-6.amzn2023.0.1	1.21.3-7.amzn2023.0.1	2026-04-28T06:16:03.663Z	2026-05-15T10:18:18.296326832Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:76c62dd9e4a206e6445971e2e72a83385fe81f558b6fbd3184145b1c2abf65b0
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:76c62dd9e4a206e6445971e2e72a83385fe81f558b6fbd3184145b1c2abf65b0
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:707eb125244dbc708baa32968d7a743d8ad523d1feb5e64039447ac02870b892
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:c78fae22ed86aedf25666c470abd39ef54e321ed215409a3742931c01bdd80aa
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:707eb125244dbc708baa32968d7a743d8ad523d1feb5e64039447ac02870b892
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:f55f53876d6185504ad73ae60e2ab74a9bb4c55717845599583b18c5a6f5ef75
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:180b69c85b5b9f47a6e4f835321d4b809b3fe651860be729f6250cfb6aef2646
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:214658d274071f8dc896377a7fb202d74a7690422f7412c10ce60a1f80d3b90a
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:180b69c85b5b9f47a6e4f835321d4b809b3fe651860be729f6250cfb6aef2646
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:ed418c7dcdf959a45ac30689b61fb76e417a58ef2650aac0b18bedc181b9f02b
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:9dc10a0889c651f2b9b11fb71744e25a493cc38cd5a8bfef28bb2471441099c1
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:ed418c7dcdf959a45ac30689b61fb76e417a58ef2650aac0b18bedc181b9f02b
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:837e1509262243116a8d4962bf5bea033ca35130a3d9fdd1e6a9b0fdc1abab2c
public.ecr.aws/lambda/dotnet:10	public.ecr.aws/lambda/dotnet@sha256:3a9b62310b6c596d53190b912d8696ca5a5d446ca15b435901a5302852997f7f
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:837e1509262243116a8d4962bf5bea033ca35130a3d9fdd1e6a9b0fdc1abab2c
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:0391ea50754bd647819caa5f266450f9ca1fa5f1f125f66b9cb524b4a1caebb7
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:3e26056a96e29d1f4fcb3b45756c8dbe620a7b80578815941f82568672329d51
public.ecr.aws/lambda/ruby:4.0	public.ecr.aws/lambda/ruby@sha256:3e26056a96e29d1f4fcb3b45756c8dbe620a7b80578815941f82568672329d51
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:d2c06ba9a66d288d79ba2a045dc04701e8604c62e11170c2bea34cde13d4291f
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:5316ab49b68e2e56ac08f54347fb1708c3eb2f2af793680a9089f2fdcee5013e

---

Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

---

Remediation Steps

• Update the affected package krb5-libs from version 1.21.3-6.amzn2023.0.1 to 1.21.3-7.amzn2023.0.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.