CVE-2026-42575
Signature Verification Bypass in apko OCI Image Builder
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard-dev | apko | to 1.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in apko involves the failure to verify downloaded APK packages against the checksums recorded in the signed APKINDEX.tar.gz file. While apko verifies the signature of the APKINDEX file itself, it does not compare the checksum of each individually downloaded .apk package with the expected checksum from the signed index. This means that mismatched or tampered packages are silently accepted.
An attacker who can intercept or manipulate download responsesβsuch as through a compromised mirror, an HTTP repository, or a poisoned CDN cacheβcan substitute arbitrary packages into the built OCI container images without detection. This allows the attacker to inject malicious packages into images built using vulnerable versions of apko (prior to version 1.2.7).
How can this vulnerability impact me? :
This vulnerability can lead to the installation of arbitrary and potentially malicious packages into OCI container images built with apko. Since the package checksums are not verified, attackers can substitute compromised packages during the download process.
The impact includes the risk of introducing malicious code into container images, which can compromise the security and integrity of applications and systems that deploy these images. This can lead to unauthorized code execution, data manipulation, or other security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves apko not verifying downloaded APK packages against the checksums recorded in the signed APKINDEX.tar.gz file prior to version 1.2.7. Detection involves verifying whether the apko version in use is prior to 1.2.7 and checking if package control hashes are being validated during image builds.
Since the vulnerability is related to checksum verification of downloaded packages, one way to detect exploitation is to monitor or audit the integrity of built OCI images by comparing package hashes against the signed APKINDEX checksums.
Specific commands to detect this vulnerability are not provided in the available resources. However, general steps include:
- Check the installed apko version with a command like `apko --version` or inspecting the binary version.
- Review build logs or scripts to confirm if checksum verification is performed during package downloads.
- Manually verify package checksums by extracting APKINDEX.tar.gz and comparing the checksums of downloaded .apk packages against those recorded in the index.
- Use network monitoring tools to detect suspicious package downloads from untrusted mirrors or HTTP repositories.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade apko to version 1.2.7 or later, where the vulnerability has been fixed by implementing verification of package control hashes against the signed APKINDEX.
Until the upgrade can be applied, avoid using untrusted mirrors, HTTP repositories, or CDN caches that could be compromised to substitute malicious packages.
Additionally, consider auditing existing OCI images built with vulnerable apko versions for unexpected or unauthorized packages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to substitute arbitrary packages into built OCI container images by exploiting insufficient verification of package integrity. Such unauthorized code insertion can lead to compromised software supply chains and potentially introduce malicious code into production environments.
While the provided context and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to inject unauthorized code could indirectly impact compliance by undermining the integrity and security of software systems that handle sensitive data.
Organizations subject to regulations requiring strict data integrity and security controls might find this vulnerability relevant, as it represents a risk to the authenticity and trustworthiness of software components, which could affect compliance with such standards.