CVE-2026-25140 in apko
Summary
by MITRE • 02/04/2026
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-25140 affects the apko container image building tool, which is designed to create OCI container images from apk packages commonly used in Alpine Linux environments. This tool serves as a critical component in modern containerization workflows where developers and DevOps teams rely on automated build processes to construct lightweight container images. The vulnerability exists within the version range from 0.14.8 through 1.1.0, creating a window of exposure where systems using these versions are susceptible to resource exhaustion attacks during the build process. The core issue stems from improper handling of compressed data streams during the APK package expansion phase, which directly impacts the tool's ability to safely process package repositories.
The technical flaw manifests in the ExpandApk function located in pkg/apk/expandapk/expandapk.go, which lacks proper decompression limits and size constraints when processing .apk package streams. This function operates without enforcing boundaries on the decompression process, allowing attackers to exploit the system by serving malicious APK packages that appear small in size but decompress into enormous tar streams. The attack vector leverages the inherent properties of compression algorithms where a small compressed file can expand to hundreds or thousands of times its original size, creating a classic resource exhaustion scenario. When the build host processes such packages, the system consumes excessive disk space and CPU resources as the decompression process continues unchecked, ultimately leading to system instability and potential denial of service conditions.
The operational impact of this vulnerability extends beyond simple resource consumption, creating cascading effects throughout container build infrastructure and deployment pipelines. Organizations using apko for automated container builds face significant risks when their build hosts encounter malicious APK repositories, as the vulnerability can cause complete build failures, extended build times, and potentially system crashes. The attack scenario becomes particularly dangerous in environments where multiple builds occur simultaneously, as the resource exhaustion can affect entire build clusters and impact other legitimate build processes. This vulnerability aligns with CWE-400, specifically addressing resource exhaustion through uncontrolled data expansion, and represents a classic example of how compression-based attacks can be weaponized against build systems. The issue directly impacts the availability and reliability of container image creation processes, potentially disrupting continuous integration and deployment workflows.
Mitigation strategies for CVE-2026-25140 require immediate version updates to apko 1.1.1 or later, where the decompression limits have been properly implemented to prevent excessive resource consumption. Organizations should also implement repository validation mechanisms and content integrity checks to verify the legitimacy of APK packages before processing them in automated build environments. Network-level controls such as bandwidth limiting and traffic monitoring can help detect anomalous decompression patterns that might indicate exploitation attempts. Additionally, implementing proper resource quotas and monitoring for disk space and CPU utilization during build processes provides early warning capabilities for potential exploitation. The fix addresses the fundamental design flaw by introducing proper decompression boundary enforcement, aligning with ATT&CK technique T1499.001 for resource exhaustion attacks and demonstrating the importance of input validation in build systems. Organizations should conduct thorough testing of their build environments after applying the patch to ensure that legitimate APK packages continue to function correctly while malicious ones are properly rejected.