CVE-2026-42574 Overview
CVE-2026-42574 is a path traversal vulnerability [CWE-22] in apko, the Chainguard tool that builds and publishes Open Container Initiative (OCI) container images from apk packages. Versions from 0.14.8 to before 1.2.5 mishandle TypeSymlink entries in tar archives during package extraction. A crafted .apk can install a symlink whose target points outside the build root. A subsequent directory-creation or file-write entry then traverses that symlink to reach host paths writable by the build user. The issue is patched in apko version 1.2.5.
Critical Impact
A malicious .apk package processed by apko can write arbitrary files to the host filesystem outside the intended build root, enabling supply chain compromise of container build infrastructure.
Affected Products
- apko versions 0.14.8 through 1.2.4
- Chainguard container build pipelines consuming untrusted .apk packages
- CI/CD systems invoking apko to assemble OCI images from external repositories
Discovery Timeline
- 2026-05-09 - CVE-2026-42574 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42574
Vulnerability Analysis
The vulnerability lives in the apko filesystem abstraction used to materialize package contents on disk. When apko processes a .apk tar archive, it iterates over entries and creates directories, files, and symlinks under a build root directory. The extraction logic resolves paths through the standard Go os package without constraining symlink resolution to the build root.
A crafted .apk includes a TypeSymlink entry such as link -> ../../../../etc. The symlink is created inside the build root. A later entry in the same archive (or a subsequent archive processed in the same build) references a path that traverses through the attacker-controlled symlink. The follow-up Mkdir, Create, or Mknod call then operates on a host path outside the build root, inheriting the privileges of the build user.
Root Cause
The root cause is missing sandbox containment during symlink resolution in the DirFS implementation. Path operations were not scoped through Go's os.Root API, which enforces that all path resolution stays within a designated root directory. Without that constraint, intermediate symlinks created by the archive were followed by subsequent syscalls.
Attack Vector
An attacker publishes or substitutes a malicious .apk consumed by an apko build. When apko extracts the package, the planted symlink is dereferenced by a later tar entry, granting file write primitives outside the build root. No authentication or user interaction is required on the build host; the build pipeline itself triggers extraction.
// Patch excerpt: pkg/apk/fs/rwosfs_mknod_linux.go
//go:build linux
package fs
import (
"path"
"golang.org/x/sys/unix"
)
// mknodOnDisk issues mknodat against a root-constrained parent directory FD
// so the syscall cannot be tricked into traversing a symlink out of the
// sandbox. If the underlying filesystem refuses the mode (e.g. tmpfs
// rejecting certain device types), a zero-byte placeholder is written
// through the root instead.
func (f *dirFS) mknodOnDisk(rel string, mode uint32, dev int) error {
Source: GitHub Commit f5a96e1
Detection Methods for CVE-2026-42574
Indicators of Compromise
- Files written outside the configured apko build root, particularly under user-writable host directories such as /home, /tmp, or the build user's home.
- .apk archives containing TypeSymlink entries whose targets contain .. sequences or absolute paths.
- Unexpected modifications to CI runner state, scripts, or SSH keys following an apko build.
Detection Strategies
- Inspect .apk packages with tar -tvf before consumption and flag any symlink entry whose target resolves outside the archive prefix.
- Compare the post-build filesystem state of CI runners against a known-good baseline to identify writes outside the build root.
- Audit apko version strings across build infrastructure and alert on any version between 0.14.8 and 1.2.4.
Monitoring Recommendations
- Run apko inside ephemeral containers or rootless sandboxes so any traversal is bounded by the container filesystem.
- Enable filesystem auditing on build hosts to log writes by the build user outside the designated workspace.
- Subscribe to GitHub Security Advisories for the chainguard-dev/apko repository to receive future fix notifications.
How to Mitigate CVE-2026-42574
Immediate Actions Required
- Upgrade apko to version 1.2.5 or later on all build hosts and CI runners.
- Restrict .apk package sources to trusted, signed repositories under organizational control.
- Run apko builds under dedicated low-privilege users with no write access to host directories outside the build workspace.
Patch Information
The fix is released in apko1.2.5. The patch scopes all DirFS operations through Go's os.Root, ensuring that Mkdir, Create, and Mknod calls cannot traverse symlinks outside the build root. See the GitHub Security Advisory GHSA-qq3r-w4hj-gjp6, GitHub Release v1.2.5, and Pull Request #2187 for full details.
Workarounds
- Execute apko inside a disposable container or VM so any out-of-root writes are confined to the sandbox.
- Pre-scan .apk archives for symlink entries with traversal targets and reject packages that contain them.
- Limit the build user's filesystem permissions to the build root only, preventing writes elsewhere on the host.
# Upgrade apko to the patched release
go install chainguard.dev/apko@v1.2.5
# Verify the installed version
apko version
# Pre-scan untrusted .apk packages for traversal symlinks
for pkg in *.apk; do
tar -tvf "$pkg" | awk '/^l/ {print $NF}' | grep -E '(^/|\.\./)' \
&& echo "REJECT: $pkg contains traversal symlink"
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
