CVE-2026-42576
Type Confusion in apko Leading to DoS via JWKS Key Assertion
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard-dev | apko | to 1.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-42576 affects the apko tool versions prior to 1.2.7. It occurs because the DiscoverKeys function in the code unconditionally assumes that JWKS keys are RSA public keys without verifying their actual type.
If a repository JWKS endpoint returns a key that is not RSA (for example, an EC key), this unchecked type assertion causes the program to panic and crash. This impacts any workflow that initializes the APK database and fetches repository keys.
The issue has been fixed in version 1.2.7 by replacing the unchecked assertion with a guarded check that returns an error for unsupported key types instead of crashing.
How can this vulnerability impact me? :
This vulnerability can cause the apko tool to crash unexpectedly when it encounters a non-RSA key from a repository JWKS endpoint.
Such crashes disrupt any workflows that rely on initializing the APK database and fetching repository keys, potentially causing service interruptions or failures in container image building and publishing processes.
Because the crash is triggered by a type assertion failure, it does not lead to data corruption or unauthorized access, but availability is impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the apko tool to crash (panic) when it encounters a non-RSA JWKS key during the initialization of the APK database and fetching of repository keys.
To detect this issue, monitor apko executions for unexpected crashes or panics related to key fetching operations.
Since the problem occurs during the DiscoverKeys function when a JWKS endpoint returns a non-RSA key, you can test the JWKS endpoint keys manually by querying them and inspecting their types.
- Use curl or similar tools to fetch the JWKS endpoint JSON and inspect the key types.
- Example command: curl -s https://<repository-jwks-endpoint> | jq '.keys[].kty'
If any key type other than "RSA" is present, this may trigger the vulnerability in affected apko versions.
Additionally, running apko commands that initialize the APK database and observing if they crash can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in apko version 1.2.7 by adding guarded type assertions and error handling for unsupported key types.
Immediate mitigation steps include:
- Upgrade apko to version 1.2.7 or later where the issue is fixed.
- If upgrading is not immediately possible, avoid using repositories or JWKS endpoints that return non-RSA keys to prevent crashes.
- Monitor apko logs and workflows for crashes related to key fetching and handle such failures gracefully.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.