CVE-2026-41254 Vulnerability Detected in Alpine 3.22-Based PHP 8.2 and 8.3 Docker Images

An automated Trivy security scan has identified an unpatched high-severity vulnerability, CVE-2026-41254, present in Docker images running PHP versions 8.2 and 8.3 on an Alpine Linux 3.22 base. The flaw resides in the lcms2 package, with affected images running version 2.16-r0 while the patched version is 2.19-r0. Four specific image signatures have been flagged, spanning both CLI and FPM variants for both PHP branches. No matching hotfix scripts were found, indicating that remediation has not yet been deployed.

The vulnerability affects images maintained under the ghcr.io/rafalmasiarek/php namespace, with each affected image identifiable by its unique SHA256 digest. The lcms2 library, used for color management in image processing, has a known security weakness in the versions bundled with Alpine 3.22.4. Both the cli and fpm deployment models are impacted, meaning applications running in both command-line and server-side FastCGI Process Manager configurations are exposed to potential exploitation.

Security teams should prioritize auditing container registries for the specified SHA256 digests and either rebuild from patched base images or implement compensating controls. The absence of a matched hotfix script suggests manual intervention will be required to address this exposure. Organizations relying on these PHP images in production environments face elevated risk until a fixed version of Alpine 3.22 or an updated PHP image tag becomes available.