Skip to content

[3.0] [docker] Critical Vulnerability on distroless base CVE-2026-34182 #17789

Description

@gonpinho

Affected MCR / consumer images

We consume Azure Linux 3.0 distroless base images indirectly via Microsoft OpenJDK container images. These images are used as the base for our Java workloads.

Although OpenJDK images are rebuilt frequently (~3x/week), the OpenSSL fix does not appear to be picked up because the underlying Azure Linux distroless base image in MCR has not yet been updated, despite the fix being present in 3.0-dev.

Latest scan (2026-06-23, linux/amd64, trivy 0.69.3):

Image Digest (latest :3.0) Installed Trivy "fixed in"
mcr.microsoft.com/azurelinux/distroless/base:3.0 sha256:f8f5a9bb739ad1ec347853144c9ed4ca2260e587082277bc6066fcd5cc9973e8 openssl 3.3.5-5.azl3 3.3.7-2.azl3

CVE-2026-34182 is still reported due to the installed OpenSSL version (3.3.5-5.azl3 vs fixed 3.3.7-2.azl3).

Source vs published image

The fix is present in Azure Linux 3.0-dev (commit d1ee7f9
/ PR #17752 , where openssl has been updated to 3.3.7-2 with CVE-2026-34182.patch‎), However, the MCR distroless image mcr.microsoft.com/azurelinux/distroless/base:3.0 still ships openssl 3.3.5-5.azl3.

Impact

All downstream images based on Azure Linux 3.0 distroless continue to be flagged for CVE-2026-34182 in security scans, until the MCR base image is rebuilt and republished with the updated OpenSSL version.

Repro

trivy image mcr.microsoft.com/azurelinux/distroless/base:3.0 
docker run -it --rm mcr.microsoft.com/azurelinux/distroless/debug:3.0 busybox sh
# busybox cat /var/lib/rpmmanifest/container-manifest-2
...
openssl	3.3.5-5.azl3	1781853922	1775489501	Microsoft Corporation	(none)	1856587	aarch64	0	openssl-3.3.5-5.azl3.src.rpm
openssl-libs	3.3.5-5.azl3	1781853922	1775489501	Microsoft Corporation	(none)	5700032	aarch64	0	openssl-3.3.5-5.azl3.src.rpm
...

Could you confirm when the Azure Linux 3.0 distroless base image will be rebuilt and republished to include OpenSSL 3.3.7-2.azl3?

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.0Issues and PRs for Azure Linux 3.0bugSomething isn't workingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions