top of page
perceptive_background_267k.jpg

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromise…

Published:

3 February 2026 at 23:00:00

Alert date:

4 February 2026 at 20:00:59

Source:

nvd.nist.gov

Click to open the original link from this advisory

Cloud & Virtualization, Supply Chain & Dependencies

A resource exhaustion vulnerability in apko, a tool for building OCI container images from APK packages, affects versions 0.14.8 to before 1.1.1. Attackers controlling or compromising APK repositories can exploit the ExpandApk function's lack of decompression limits to serve small, highly-compressed APK files that expand into large tar streams. This causes excessive disk space and CPU consumption, leading to build failures or denial of service. The vulnerability has been patched in version 1.1.1.

Technical details

Mitigation steps:

Affected products:

apko

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-25140
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09
https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page