Affected MCR / consumer images
We consume Azure Linux 3.0 distroless base images indirectly via Microsoft OpenJDK container images. These images are used as the base for our Java workloads.
Although OpenJDK images are rebuilt frequently (~3x/week), the OpenSSL fix does not appear to be picked up because the underlying Azure Linux distroless base image in MCR has not yet been updated, despite the fix being present in 3.0-dev.
Latest scan (2026-06-23, linux/amd64, trivy 0.69.3):
| Image |
Digest (latest :3.0) |
Installed |
Trivy "fixed in" |
mcr.microsoft.com/azurelinux/distroless/base:3.0 |
sha256:f8f5a9bb739ad1ec347853144c9ed4ca2260e587082277bc6066fcd5cc9973e8 |
openssl 3.3.5-5.azl3 |
3.3.7-2.azl3 |
CVE-2026-34182 is still reported due to the installed OpenSSL version (3.3.5-5.azl3 vs fixed 3.3.7-2.azl3).
Source vs published image
The fix is present in Azure Linux 3.0-dev (commit d1ee7f9
/ PR #17752 , where openssl has been updated to 3.3.7-2 with CVE-2026-34182.patch), However, the MCR distroless image mcr.microsoft.com/azurelinux/distroless/base:3.0 still ships openssl 3.3.5-5.azl3.
Impact
All downstream images based on Azure Linux 3.0 distroless continue to be flagged for CVE-2026-34182 in security scans, until the MCR base image is rebuilt and republished with the updated OpenSSL version.
Repro
trivy image mcr.microsoft.com/azurelinux/distroless/base:3.0
docker run -it --rm mcr.microsoft.com/azurelinux/distroless/debug:3.0 busybox sh
# busybox cat /var/lib/rpmmanifest/container-manifest-2
...
openssl 3.3.5-5.azl3 1781853922 1775489501 Microsoft Corporation (none) 1856587 aarch64 0 openssl-3.3.5-5.azl3.src.rpm
openssl-libs 3.3.5-5.azl3 1781853922 1775489501 Microsoft Corporation (none) 5700032 aarch64 0 openssl-3.3.5-5.azl3.src.rpm
...
Could you confirm when the Azure Linux 3.0 distroless base image will be rebuilt and republished to include OpenSSL 3.3.7-2.azl3?
Affected MCR / consumer images
We consume Azure Linux 3.0 distroless base images indirectly via Microsoft OpenJDK container images. These images are used as the base for our Java workloads.
Although OpenJDK images are rebuilt frequently (~3x/week), the OpenSSL fix does not appear to be picked up because the underlying Azure Linux distroless base image in MCR has not yet been updated, despite the fix being present in
3.0-dev.Latest scan (2026-06-23,
linux/amd64, trivy 0.69.3)::3.0)mcr.microsoft.com/azurelinux/distroless/base:3.0sha256:f8f5a9bb739ad1ec347853144c9ed4ca2260e587082277bc6066fcd5cc9973e8openssl3.3.5-5.azl3CVE-2026-34182 is still reported due to the installed OpenSSL version (3.3.5-5.azl3 vs fixed 3.3.7-2.azl3).
Source vs published image
The fix is present in Azure Linux 3.0-dev (commit d1ee7f9
/ PR #17752 , where
opensslhas been updated to 3.3.7-2 withCVE-2026-34182.patch), However, the MCR distroless imagemcr.microsoft.com/azurelinux/distroless/base:3.0still ships openssl 3.3.5-5.azl3.Impact
All downstream images based on Azure Linux 3.0 distroless continue to be flagged for CVE-2026-34182 in security scans, until the MCR base image is rebuilt and republished with the updated OpenSSL version.
Repro
docker run -it --rm mcr.microsoft.com/azurelinux/distroless/debug:3.0 busybox sh # busybox cat /var/lib/rpmmanifest/container-manifest-2 ... openssl 3.3.5-5.azl3 1781853922 1775489501 Microsoft Corporation (none) 1856587 aarch64 0 openssl-3.3.5-5.azl3.src.rpm openssl-libs 3.3.5-5.azl3 1781853922 1775489501 Microsoft Corporation (none) 5700032 aarch64 0 openssl-3.3.5-5.azl3.src.rpm ...Could you confirm when the Azure Linux 3.0 distroless base image will be rebuilt and republished to include OpenSSL
3.3.7-2.azl3?