CVE-2026-25140

High CVSS: 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

Vendor

Chainguard

Product

Apko

CWE

CWE-400

Yayın Tarihi

2026-02-04 19:16:15

Güncelleme

2026-02-20 21:31:56

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-400 Apko HIGH Chainguard 2026

Referanslar

https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6

Benzer Kayıtlar

Medium

CVE-2026-29049

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cach…

High

CVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in vers…

Medium

CVE-2026-28407

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior…

High

CVE-2026-25143

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacke…

Medium

CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacke…

High

CVE-2026-24843

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker…