Login Sign Up

CVE-2026-25122

5.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in apko allows attackers to cause resource exhaustion by forcing excessive CPU usage during gzip inflation of malicious APK archives. It affects users who process untrusted APK streams with apko versions 0.14.8 through 1.0.x. The impact is denial of service through CPU exhaustion.

💻 Affected Systems

Products:
  • apko
Versions: 0.14.8 through 1.0.x
Operating Systems: All platforms running apko
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when processing APK archives via expandapk.Split function. Only affects availability, not confidentiality or integrity.

📦 What is this software?

Apko by Chainguard

View all CVEs affecting Apko →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, causing timeouts and process crashes in container build pipelines.

🟠

Likely Case

Degraded performance and timeouts in CI/CD pipelines processing untrusted APK packages, disrupting container image builds.

🟢

If Mitigated

Minimal impact if only trusted APK sources are processed or if resource limits are strictly enforced.

🌐 Internet-Facing: MEDIUM - Exploitable if apko processes APK streams from untrusted internet sources, but requires attacker to supply malicious input.
🏢 Internal Only: LOW - Lower risk if only processing internally generated or trusted APK packages.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker to supply malicious APK input to vulnerable apko instance. No authentication needed if input processing is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89

Restart Required: No

Instructions:

1. Update apko to version 1.1.0 or later. 2. For containerized deployments, rebuild images with updated apko version. 3. Verify the fix by checking version with 'apko version'.

🔧 Temporary Workarounds

Resource Limiting

all

Apply CPU and memory limits to apko processes to mitigate resource exhaustion impact

docker run --cpus="1.0" --memory="512m" ...
systemd: CPUQuota=100%
k8s: resources.limits.cpu: "1"

Input Validation

all

Only process APK archives from trusted sources and validate inputs before processing

🧯 If You Can't Patch

  • Implement strict input validation to only accept APK packages from trusted sources
  • Deploy resource monitoring and alerting for abnormal CPU usage patterns in apko processes

🔍 How to Verify

Check if Vulnerable:

Check apko version: if between 0.14.8 and 1.0.x inclusive, system is vulnerable

Check Version:

apko version

Verify Fix Applied:

Verify apko version is 1.1.0 or later using 'apko version' command

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage by apko processes
  • Timeout errors in container build pipelines
  • Process crashes during APK processing

Network Indicators:

  • High volume of APK downloads from untrusted sources to apko instances

SIEM Query:

process.name:"apko" AND cpu.usage > 90% sustained for >30s

📊 Metadata

CVE ID: CVE-2026-25122
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-400
EPSS Score: 0.01% exploit probability (2.3th percentile)
Published: February 4, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25122, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)