Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Published: 2026-02-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unbounded Resource Consumption (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

ExpandApk in Apko expands .apk streams without a decompression limit, allowing a malicious repository that serves a small, highly‑compressed .apk to inflate into a large tar stream. This can consume excessive disk space and CPU time during image build, potentially causing build failures or a denial of service.

Affected Systems

Chainguard's Apko, from version 0.14.8 up to but not including 1.1.1, is affected. Systems using the vulnerable version of Apko and fetching packages from an attacker‑controlled or compromised APK repository are at risk.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability carries a moderate severity. The EPSS score is below 1 % indicating a low likelihood of exploitation in the wild, and the issue is not currently listed in the CISA KEV catalog. The attack requires an attacker to control or compromise the APK repository used by Apko; they can then serve the compressed .apk to trigger resource exhaustion on the build host.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apko to version 1.1.1 or later, which includes the fix that enforces decompression limits.
  • Verify the authenticity and integrity of APK repositories and packages by validating cryptographic signatures or checksums before use, to reduce the risk of a malicious repository being used.
  • If possible, implement resource limits on the build environment, such as cgroup or container runtime restrictions, to mitigate the impact of unexpected resource consumption.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard apko
Weaknesses CWE-770
CPEs cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard apko

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Title apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Chainguard Apko
Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:17:36.596Z

Reserved: 2026-01-29T15:39:11.820Z

Link: CVE-2026-25140

cve-icon Vulnrichment

Updated: 2026-02-04T19:17:31.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T19:16:15.117

Modified: 2026-02-20T21:31:56.623

Link: CVE-2026-25140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses