CVE-2026-27456 Persists in Alpine 3.23 PHP 8.4 Container Images After Rebuild Attempts

An automated Trivy security scan has identified an unresolved medium-severity vulnerability in official PHP container images maintained by rafalmasiarek. The flaw, tracked as CVE-2026-27456, affects Alpine Linux 3.23.3-based images and persists despite attempted hotfix remediation, signaling potential gaps in the image build pipeline or upstream dependency resolution.

The vulnerability impacts three core system libraries: libblkid, libmount, and libuuid, all currently installed at version 2.41.2-r0 against a fixed version of 2.41.4-r0. Affected images include both the CLI and FPM variants of PHP 8.4, specifically two SHA-256 pinned image digests hosted on the GitHub Container Registry. The automated scan detected the CVE after a rebuild workflow was executed, confirming that the hotfix scripts matched but failed to eliminate the exposure in the final published images.

The persistence of CVE-2026-27456 after remediation attempts raises questions about whether the issue stems from base image lag, conditional package resolution during build, or caching mechanisms within the CI/CD pipeline. Organizations relying on these specific PHP images for containerized workloads face ongoing exposure until either the upstream Alpine 3.23 branch incorporates the patched library versions or the image maintainer implements a corrected build process. Security teams should evaluate whether their deployment pipelines pull these specific image digests and consider temporary mitigations or alternative base images pending a confirmed fix.