diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile
index b0695c4..e8daa29 100644
--- a/tests/e2e/fixtures/baseline-clean/Dockerfile
+++ b/tests/e2e/fixtures/baseline-clean/Dockerfile
@@ -12,7 +12,7 @@
 #   - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256
 #
 # Expected result: a clean scan with no failures attributable to these rules.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b78bb982194828b6c9c214230bf34d51944e2102ea8468f01ac21e5f99328efd
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:865267010fd5c6a45c7ab456848573010ec521b0d2677a0a966f3f2211b71eda
 
 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in
 # the image is identical to the upstream wolfi-base bundle. Without this, the
diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
index f1405b3..2cb44cd 100644
--- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile
+++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
@@ -6,7 +6,7 @@
 # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so
 # the SHA-256 of the baked bundle diverges from the pinned value the
 # CertificateAudit OVAL check expects. The rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b78bb982194828b6c9c214230bf34d51944e2102ea8468f01ac21e5f99328efd
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:865267010fd5c6a45c7ab456848573010ec521b0d2677a0a966f3f2211b71eda
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile
index 48f1ed3..34ca024 100644
--- a/tests/e2e/fixtures/non-https-repo/Dockerfile
+++ b/tests/e2e/fixtures/non-https-repo/Dockerfile
@@ -6,7 +6,7 @@
 # Injects a non-https repository URL into /etc/apk/repositories so the
 # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at
 # least one line and the rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b78bb982194828b6c9c214230bf34d51944e2102ea8468f01ac21e5f99328efd
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:865267010fd5c6a45c7ab456848573010ec521b0d2677a0a966f3f2211b71eda
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile
index 740f7f7..ccf553b 100644
--- a/tests/e2e/fixtures/remote-access-violation/Dockerfile
+++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile
@@ -7,7 +7,7 @@
 # RemoteAccessServices OVAL check must detect the package record under
 # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule
 # must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b78bb982194828b6c9c214230bf34d51944e2102ea8468f01ac21e5f99328efd
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:865267010fd5c6a45c7ab456848573010ec521b0d2677a0a966f3f2211b71eda
 
 LABEL dev.orbstack.add-ca-certificates=false