CVE-2026-25140
Unknown Unknown - Not Provided
Decompression Bomb Vulnerability in apko Causes DoS

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25140
EUVD
EUVD-2026-5381
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chainguard apko From 0.14.8 (inc) to 1.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25140 is a vulnerability in the apko tool, which is used to build and publish OCI container images from apk packages. The issue exists in the ExpandApk function that processes .apk streams without enforcing limits on decompression.

An attacker who controls or compromises an APK repository can supply a small but highly compressed .apk file that, when decompressed, expands into a very large tar stream. This causes excessive consumption of disk space and CPU resources on the build host.

This uncontrolled resource consumption can lead to build failures or denial of service on the host running apko. The vulnerability affects versions from 0.14.8 up to but not including 1.1.1 and has been fixed in version 1.1.1.

Impact Analysis

This vulnerability can cause resource exhaustion on the system where apko is running. Specifically, it can consume excessive disk space and CPU time due to the decompression of maliciously crafted .apk files.

As a result, this can lead to build failures or denial of service conditions, disrupting the container image build process and potentially impacting availability of services relying on these builds.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unusual resource consumption during the build process using apko, such as excessive CPU usage or disk space consumption when expanding .apk files.

Since the issue involves the ExpandApk function processing maliciously crafted .apk streams without decompression limits, detection can involve observing build failures or denial of service symptoms related to resource exhaustion.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade apko to version 1.1.1 or later, where the vulnerability has been patched.

Additionally, avoid using APK repositories that could be compromised or controlled by attackers, as the vulnerability requires a malicious APK repository to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart