Unresolved ImageMagick Vulnerability Persists in PHP 8.4 Alpine 3.23 Docker Images Despite Rebuild Attempts

An automated security scan has identified that CVE-2026-34238, a medium-severity vulnerability in ImageMagick components, remains unaddressed in official PHP 8.4 container images built on Alpine Linux 3.23.3. The critical anomaly: automated hotfix matching returned zero results, and the vulnerability persists even after image rebuilds, suggesting the issue is embedded in the Alpine 3.23 package repositories themselves rather than in image construction logic.

The vulnerability affects three ImageMagick packages—imagemagick, imagemagick-jpeg, and imagemagick-libs—all currently at version 7.1.2.17-r0. The patched version 7.1.2.19-r0 has not yet propagated through Alpine's package tree for branch 3.23. Affected images include both PHP 8.4-cli and PHP 8.4-fpm variants, distributed via GitHub Container Registry under the rafalmasiarek namespace. Organizations relying on these specific builds for production workloads face an unmitigated attack surface in any pipeline processing image content through ImageMagick-dependent PHP extensions.

The remediation path appears blocked at the Alpine package level: the CVE survives rebuilds because the underlying package versions in Alpine 3.23 remain vulnerable. Security teams should monitor Alpine 3.23 package updates for the 7.1.2.19-r0 release, consider temporary mitigations such as image content scanning upstream of container deployment, or evaluate whether the operational criticality of ImageMagick in the affected PHP configurations warrants immediate migration to alternative base images pending an official Alpine security patch.