CVE-2026-42576 in apkothông tin

Tóm tắt

Bởi MITRE • 09/05/2026

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

chịu trách nhiệm

GitHub M

Đặt trước

28/04/2026

Tiết lộ

09/05/2026

Kiểm duyệt

được chấp nhận

mục

VDB-362465

CPE

sẵn sàng

CWE

CWE-704 (Đã xác nhận)

CVSS

6.5 (CNA)

EPSS

0.00035

KEV

không

Các hoạt động

rất thấp

Nguồn

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-42576
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-42576
CVE Details	https://www.cvedetails.com/cve/CVE-2026-42576/

◂ Trước Tổng Quan Tiếp theo ▸

Want to know what is going to be exploited?

We predict KEV entries!