High-Severity OpenSSL Flaw CVE-2026-28390 Exposes Alpine 3.23 PHP Images

A critical security vulnerability has been automatically flagged in widely used PHP container images, exposing systems running on the Alpine Linux 3.23 base to potential compromise. The flaw, tracked as CVE-2026-28390 and rated HIGH severity, stems from outdated OpenSSL libraries within the Alpine 3.23.3 ecosystem. Automated scans by the Trivy security tool confirm the vulnerability remains unpatched in specific public container images, creating an immediate risk vector for deployments that rely on these builds.

The vulnerability resides in three core packages: `libcrypto3`, `libssl3`, and `openssl`, all at version 3.5.5-r0. The fixed version is 3.5.6-r0. The affected images are hosted on GitHub Container Registry under the `rafalmasiarek/php` repository and impact both PHP 8.4 and 8.5 branches across their `cli` and `fpm` variants. Each listed image digest corresponds to a specific, vulnerable build, meaning any container instantiated from these exact images inherits the flaw. This is not a theoretical risk but a confirmed exposure in live, downloadable artifacts.

The persistence of this HIGH-severity OpenSSL flaw in a foundational layer like Alpine 3.23 places downstream PHP applications at direct risk. Organizations using these specific `ghcr.io/rafalmasiarek/php` images for development, testing, or production must treat this as an urgent operational security event. The failure to update the underlying OpenSSL packages leaves systems vulnerable to exploits targeting the CVE, which could lead to unauthorized access, data interception, or system instability. This incident underscores the critical dependency chain in containerized environments and the cascading risk when a base image distribution lags on security patches.