CVE-2026-25140
Unknown Unknown - Not Provided
Decompression Bomb Vulnerability in apko Causes DoS

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25140
EUVD
EUVD-2026-5381
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chainguard apko From 0.14.8 (inc) to 1.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-25140 is a vulnerability in the apko tool, which is used to build and publish OCI container images from apk packages. The issue exists in the ExpandApk function that processes .apk streams without enforcing limits on decompression.

An attacker who controls or compromises an APK repository can supply a small but highly compressed .apk file that, when decompressed, expands into a very large tar stream. This causes excessive consumption of disk space and CPU resources on the build host.

This uncontrolled resource consumption can lead to build failures or denial of service on the host running apko. The vulnerability affects versions from 0.14.8 up to but not including 1.1.1 and has been fixed in version 1.1.1.


How can this vulnerability impact me? :

This vulnerability can cause resource exhaustion on the system where apko is running. Specifically, it can consume excessive disk space and CPU time due to the decompression of maliciously crafted .apk files.

As a result, this can lead to build failures or denial of service conditions, disrupting the container image build process and potentially impacting availability of services relying on these builds.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual resource consumption during the build process using apko, such as excessive CPU usage or disk space consumption when expanding .apk files.

Since the issue involves the ExpandApk function processing maliciously crafted .apk streams without decompression limits, detection can involve observing build failures or denial of service symptoms related to resource exhaustion.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade apko to version 1.1.1 or later, where the vulnerability has been patched.

Additionally, avoid using APK repositories that could be compromised or controlled by attackers, as the vulnerability requires a malicious APK repository to exploit.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart