CVE-2026-34743 Vulnerability Detected in Alpine 3.22-Based PHP Images: XZ Package Exposure Across 8.2 and 8.3 Branches

Automated security scanning has identified CVE-2026-34743, a medium-severity vulnerability affecting PHP container images built on Alpine Linux 3.22.4. The flaw resides in the xz and xz-libs packages, currently installed at version 5.8.1-r0, with patched versions available at 5.8.3-r0. The vulnerability was uncovered during a routine Trivy scan, triggering immediate remediation protocols for affected deployments.

The exposure spans four specific PHP image variants: two branches (8.2 and 8.3) across two execution models (cli and fpm). All affected images share the same base commit identifier (sha-b3e994e), suggesting a common build pipeline introduced the vulnerable dependency. The affected images are distributed via GitHub Container Registry under the ghcr.io/rafalmasiarek/php namespace. Each variant carries a distinct SHA-256 digest, enabling precise identification and quarantine of compromised containers in production environments.

Security teams running these PHP images in containerized workloads should prioritize upgrading to patched versions incorporating xz 5.8.3-r0 or later. The xz library, used for compression utilities, poses risk primarily through potential exploitation pathways that could enable denial-of-service or unexpected behavior in affected processes. Organizations utilizing Alpine-based PHP containers should audit their image registries, rebuild from updated base images, and implement image signing verification to prevent similar供应链 risks. The remediation timeline depends on deployment complexity, but immediate registry-level blocking of the identified SHA digests represents the most urgent action.