CVE-2026-34757 Persists in PHP 8.4 Alpine 3.23 Images After Rebuild Attempt

An automated security scan has identified that CVE-2026-34757, a medium-severity vulnerability in libpng, remains unresolved in official PHP 8.4 Docker images built on Alpine 3.23.3. The vulnerability, which affects the libpng package at version 1.6.55-r0, was detected across both CLI and FPM variants after a rebuild was attempted. This raises concerns about the effectiveness of the current remediation pipeline for these base images.

The flaw targets libpng versions prior to 1.6.57-r0 and impacts two specific PHP 8.4 image hashes currently in circulation: one for the CLI variant and one for the FPM variant. Both images were built under workflow build-php-images (Run ID 24780420184, commit 1027935c25c8f2eef501aba85015eadf99500f90). The automated Trivy scan confirmed that zero matched hotfix scripts exist for this vulnerability, leaving no automated remediation path currently available. The images affected carry distinct SHA-256 identifiers that allow precise tracking of deployments using these specific builds.

Security teams relying on Alpine-based PHP 8.4 images should verify whether their running containers match the affected hashes. The persistence of this CVE after a documented rebuild attempt signals a deeper dependency issue within the Alpine 3.23 package chain. Until a fixed base image is released, organizations may need to implement compensating controls, consider alternative PHP distributions with patched dependencies, or monitor for updated Alpine 3.23 packages that resolve the libpng gap.