Security Alert: CVE-2026-6042 in Alpine 3.23 Exposes PHP 8.4 & 8.5 Docker Images

An automated security scan has flagged a medium-severity vulnerability, CVE-2026-6042, within a widely used software supply chain. The flaw resides in the musl library of Alpine Linux 3.23, a foundational layer for countless containerized applications, and has been detected in specific public Docker images hosting PHP 8.4 and 8.5. This exposes a critical dependency risk for developers and systems relying on these seemingly standard container builds.

The vulnerability is confirmed in Alpine version 3.23.3, affecting the `musl` and `musl-utils` packages. The installed vulnerable version is `1.2.5-r21`, with a fix available in `1.2.5-r22`. The exposure directly impacts PHP branches 8.4 and 8.5 across both `cli` and `fpm` variants. Four specific container images from the `ghcr.io/rafalmasiarek/php` repository have been identified as carrying the unpatched library, with their full SHA256 digests listed, confirming the exact compromised builds.

This incident underscores the persistent risk of inherited vulnerabilities in container ecosystems. While the severity is currently rated as MEDIUM, the presence of an unpatched CVE in a core system library like musl creates a potential attack surface for any service deployed using these images. It signals pressure on maintainers to rebuild and republish images, and prompts immediate scrutiny for development and operations teams to audit their deployments for the affected image hashes. The reliance on automated scanning tools like Trivy is highlighted as a necessary, but reactive, defense in a complex software supply chain.