## Security Alert: High-Severity CVE-2026-33636 in Alpine 3.22 Images Affects PHP 8.2 & 8.3
A high-severity vulnerability, CVE-2026-33636, has been automatically detected in container images based on Alpine Linux 3.22. The flaw resides in the `libpng` library, a critical component for processing PNG images, and remains unresolved in the current deployed versions. This creates a direct security exposure for any systems running the affected containerized PHP applications.

The vulnerability specifically impacts the `libpng` package version `1.6.55-r0`. A fixed version, `1.6.56-r0`, is available but has not been applied. The issue affects multiple official PHP Docker image variants hosted on GitHub Container Registry (ghcr.io) under the repository `rafalmasiarek/php`. Both PHP 8.2 and PHP 8.3 branches are compromised across their `cli` and `fpm` variants, with four distinct image hashes explicitly identified as vulnerable. The base Alpine version detected in these images is 3.22.3.

This unresolved high-severity CVE in a core library presents a tangible risk to application security and integrity. Systems utilizing these specific container images for web services or applications processing user-uploaded PNG files could be vulnerable to exploitation. While a remediation script has been matched, the status indicates the fix has not yet been deployed, leaving the images in a known vulnerable state. This scenario underscores the critical importance of continuous vulnerability scanning and prompt patching in containerized environments to mitigate supply chain risks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Container Security, Supply Chain, PHP, Alpine Linux
- **Credibility**: unverified
- **Published**: 2026-04-05 07:26:52
- **ID**: 50418
- **URL**: https://whisperx.ai/en/intel/50418