2026.26
Changes
Mitigate CVE-2026-43284 and CVE-2026-43500
This release includes mitigation for CVE-2026-43284 and CVE-2026-43500, aka “Dirty Frag”.
Relay proxy dropped connection fix
Improvements are made in error recovery for the relay proxy when clients close connections. Previously, when a client closed a connection, it could result in connection in an inconsistent state. Then subsequent requests could attempt to use the connection and fail because the state maintained by the proxy server was not consistent with the state of the connection in PHP-FPM. This change causes a FastCGI abort to be used when a client terminates a connection early, releasing PHP-FPM resources as early as possible and preventing connection reuse.
New “Standard Magento” stack
This release introduces a new web-server-v4 image family. Note that this
family is not compatible with images in the invoker based web-server and they
must not be considered interchangeable.
Component upgrades
| Component | Previous | Current |
|---|---|---|
| PHP | 8.2.30 | 8.2.31 |
| PHP | 8.3.30 | 8.3.31 |
| PHP | 8.4.20 | 8.4.21 |
| PHP | 8.5.5 | 8.5.6 |
| Composer | 2.9.7 | 2.9.8 |
Artifacts matrix
| Image Type | Family / Variant | OS | Packages | Architectures | URI |
|---|---|---|---|---|---|
| Container | php-fpm:8.1-arm64 | Debian 13.2 | 8.1.34, composer-2.9.8 | arm64 | public.ecr.aws/webscale/php-fpm:8.1-arm64-2026.26 |
| Container | php-fpm:8.2-arm64 | Debian 13.4 | 8.2.31, composer-2.9.8 | arm64 | public.ecr.aws/webscale/php-fpm:8.2-arm64-2026.26 |
| Container | php-fpm:8.3-arm64 | Debian 13.4 | 8.3.31, composer-2.9.8 | arm64 | public.ecr.aws/webscale/php-fpm:8.3-arm64-2026.26 |
| Container | php-fpm:8.4-arm64 | Debian 13.4 | 8.4.21, composer-2.9.8 | arm64 | public.ecr.aws/webscale/php-fpm:8.4-arm64-2026.26 |
| Container | php-fpm:8.5-arm64 | Debian 13.4 | 8.5.6, composer-2.9.8 | arm64 | public.ecr.aws/webscale/php-fpm:8.5-arm64-2026.26 |
| Container | php-fpm:8.1-deb | Debian 13.2 | 8.1.34, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.1-deb-2026.26 |
| Container | php-fpm:8.2-deb | Debian 13.4 | 8.2.31, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.2-deb-2026.26 |
| Container | php-fpm:8.3-deb | Debian 13.4 | 8.3.31, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.3-deb-2026.26 |
| Container | php-fpm:8.4-deb | Debian 13.4 | 8.4.21, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.4-deb-2026.26 |
| Container | php-fpm:8.1 | Alpine 3.21.7 | 8.1.34, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.1-2026.26 |
| Container | php-fpm:8.2 | Alpine 3.23.4 | 8.2.31, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.2-2026.26 |
| Container | php-fpm:8.3 | Alpine 3.23.4 | 8.3.31, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.3-2026.26 |
| Container | php-fpm:8.4 | Alpine 3.23.4 | 8.4.21, composer-2.9.8 | amd64 | public.ecr.aws/webscale/php-fpm:8.4-2026.26 |
| Container | rabbitmq | Ubuntu 24.04.4 LTS | 4.3.0 | arm64 | public.ecr.aws/webscale/rabbitmq:2026.26 |
| Container | varnish | Debian 12.13 | 6.0.17 | arm64 | public.ecr.aws/webscale/varnish:2026.26 |
Feedback
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.