VDB

CVE-2026-25140

CVE-2026-25140 PUBLISHED CVSS 7.5 HIGH

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

EPSS 0.02% · 5.5th percentile

Risk Scores

CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.02%
5.5th percentile

Affected Products

VendorProductVersions
chainguardapko0.14.8, 0.14.8
chainguard-devapko>= 0.14.8, < 1.1.1, >= 0.14.8, < 1.1.1

Timeline

  • Jan 29, 2026 CVE ID Reserved
  • Feb 4, 2026 CVE Published
  • Feb 4, 2026 PoC Published
  • Feb 4, 2026 CVE Updated
  • Feb 5, 2026 EPSS Score
  • Feb 7, 2026 EPSS Score
  • Feb 9, 2026 EPSS Score
  • Feb 12, 2026 EPSS Score
  • Feb 14, 2026 EPSS Score
  • Feb 16, 2026 EPSS Score
  • Feb 18, 2026 EPSS Score
  • Feb 20, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›