diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile
index 18845e5..ad62d7b 100644
--- a/tests/e2e/fixtures/baseline-clean/Dockerfile
+++ b/tests/e2e/fixtures/baseline-clean/Dockerfile
@@ -12,7 +12,7 @@
 #   - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256
 #
 # Expected result: a clean scan with no failures attributable to these rules.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:70750dfde91b4c5804b4df269121253fbdff73a9122925c7acc067aa33f9f55e
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3258be472764337fd13095bcbb3182da170243b5819fd67ad4c0754590588b31
 
 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in
 # the image is identical to the upstream wolfi-base bundle. Without this, the
diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
index 5b7908e..36ac248 100644
--- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile
+++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
@@ -6,7 +6,7 @@
 # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so
 # the SHA-256 of the baked bundle diverges from the pinned value the
 # CertificateAudit OVAL check expects. The rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:70750dfde91b4c5804b4df269121253fbdff73a9122925c7acc067aa33f9f55e
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3258be472764337fd13095bcbb3182da170243b5819fd67ad4c0754590588b31
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile
index 8eb83c5..322b611 100644
--- a/tests/e2e/fixtures/non-https-repo/Dockerfile
+++ b/tests/e2e/fixtures/non-https-repo/Dockerfile
@@ -6,7 +6,7 @@
 # Injects a non-https repository URL into /etc/apk/repositories so the
 # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at
 # least one line and the rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:70750dfde91b4c5804b4df269121253fbdff73a9122925c7acc067aa33f9f55e
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3258be472764337fd13095bcbb3182da170243b5819fd67ad4c0754590588b31
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile
index e8034bf..82f6af3 100644
--- a/tests/e2e/fixtures/remote-access-violation/Dockerfile
+++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile
@@ -7,7 +7,7 @@
 # RemoteAccessServices OVAL check must detect the package record under
 # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule
 # must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:70750dfde91b4c5804b4df269121253fbdff73a9122925c7acc067aa33f9f55e
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3258be472764337fd13095bcbb3182da170243b5819fd67ad4c0754590588b31
 
 LABEL dev.orbstack.add-ca-certificates=false