Security Alert: CVE-2026-40312 Affects Alpine 3.23 PHP Images, Remediation Fails

An automated security scan has flagged a persistent, unresolved vulnerability in critical PHP container images. The medium-severity flaw, CVE-2026-40312, remains active in images based on Alpine Linux 3.23.3 even after a rebuild, indicating a systemic patching failure that leaves deployments exposed.

The vulnerability originates from outdated ImageMagick packages (`imagemagick`, `imagemagick-jpeg`, `imagemagick-libs`) at version 7.1.2.17-r0, which require an update to version 7.1.2.19-r0. It specifically impacts the `ghcr.io/rafalmasiarek/php` repository, affecting both the `cli` and `fpm` variants of PHP 8.4. The scan data shows zero matched hotfix scripts, and the CVE is confirmed to still be present after a rebuild attempt, a clear signal that the underlying base image or build process has not integrated the necessary security fix.

This failure creates direct operational risk for any service or application relying on these specific container tags. The persistence of the flaw post-rebuild suggests the issue may be upstream in the Alpine 3.23 branch itself or in the image maintenance pipeline, requiring immediate manual intervention from developers and DevOps teams to either force a package upgrade or seek alternative base images to close the security gap.