diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile
index 3d4e68e..02ef84c 100644
--- a/tests/e2e/fixtures/baseline-clean/Dockerfile
+++ b/tests/e2e/fixtures/baseline-clean/Dockerfile
@@ -12,7 +12,7 @@
 #   - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256
 #
 # Expected result: a clean scan with no failures attributable to these rules.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704
 
 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in
 # the image is identical to the upstream wolfi-base bundle. Without this, the
diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
index 75c2b7d..6c1c2ac 100644
--- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile
+++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
@@ -6,7 +6,7 @@
 # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so
 # the SHA-256 of the baked bundle diverges from the pinned value the
 # CertificateAudit OVAL check expects. The rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile
index 0d1411d..c758f5a 100644
--- a/tests/e2e/fixtures/non-https-repo/Dockerfile
+++ b/tests/e2e/fixtures/non-https-repo/Dockerfile
@@ -6,7 +6,7 @@
 # Injects a non-https repository URL into /etc/apk/repositories so the
 # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at
 # least one line and the rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile
index 519b1a3..2bcc57d 100644
--- a/tests/e2e/fixtures/remote-access-violation/Dockerfile
+++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile
@@ -7,7 +7,7 @@
 # RemoteAccessServices OVAL check must detect the package record under
 # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule
 # must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704
 
 LABEL dev.orbstack.add-ca-certificates=false