CVE-2026-41254: High-Severity Vulnerability Detected in Alpine 3.23-Based PHP Images

An automated Trivy security scan has identified an unpatched high-severity vulnerability, CVE-2026-41254, affecting Docker images built on Alpine Linux 3.23. The flaw resides in the lcms2 package (versions 2.17-r0 through 2.19-r0), exposing affected containers to potential exploitation. This finding represents a concrete security gap requiring immediate remediation attention from development and security operations teams.

The vulnerability impacts multiple PHP runtime images maintained under the ghcr.io/rafalmasiarek/php repository. Affected deployments span both the CLI and FPM variants across PHP branches 8.4 and 8.5, with specific Alpine versions 3.23.3 and 3.23.4 identified as compromised bases. Four distinct container images carry the vulnerability, each uniquely identified by SHA-256 digests. The exposure affects production environments relying on these specific Alpine-based PHP images for web services, API backends, or containerized workloads.

A matched hotfix script has been identified for remediation, with the lcms2 package update to version 2.19-r0 confirmed as the corrective path. Organizations running affected images should audit their container registries, halt deployment of compromised image tags, and apply the available patch without delay. Given the high severity rating and the breadth of affected PHP variants, this vulnerability carries significant risk for environments where image provenance and dependency hygiene are critical operational requirements.