CVE-2026-42575 Overview
CVE-2026-42575 is a missing integrity verification vulnerability in apko, a tool that builds and publishes Open Container Initiative (OCI) container images from apk packages. Versions prior to 1.2.7 verify the signature on APKINDEX.tar.gz but never compare individually downloaded .apk packages against the checksum recorded in the signed index. Attackers who can substitute download responses through compromised mirrors, HTTP repositories, or poisoned CDN caches can inject arbitrary packages into built container images. The flaw is tracked under [CWE-345: Insufficient Verification of Data Authenticity].
Critical Impact
Arbitrary package substitution during container image builds enables supply chain compromise of downstream OCI images produced by apko.
Affected Products
- Chainguard apko versions prior to 1.2.7
- OCI container images built using vulnerable apko releases
- Build pipelines consuming apk packages over untrusted transport or mirrors
Discovery Timeline
- 2026-05-09 - CVE-2026-42575 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42575
Vulnerability Analysis
apko fetches a signed APKINDEX.tar.gz from configured repositories and validates the index signature. The index contains per-package checksums that allow build tools to confirm that each downloaded .apk matches what the repository operator signed. apko exposes the parsed checksum through ChecksumString() and computes the downloaded package's control hash during expansion. The defect is that getPackageImpl() never compares the two values, so a mismatched package is accepted and installed into the resulting image.
Because apk repositories are commonly served over HTTP or through CDN edges, an attacker positioned on the network path or controlling a mirror can return a malicious package body while leaving the signed index untouched. The result is silent substitution at build time without any signature error.
Root Cause
The root cause is a missing equality check between the index-derived checksum and the runtime-computed control hash of the downloaded package. Both values are available within pkg/apk/apk/package_getter.go, but the comparison was never invoked before the patch.
Attack Vector
Exploitation requires the attacker to influence package download responses. Practical paths include operating or compromising a mirror, intercepting HTTP repository traffic, or poisoning a CDN cache fronting the apk repository. No authentication or user interaction is required on the build host.
return nil, fmt.Errorf("expanding %s: %w", pkg.PackageName(), err)
}
+ if err := verifyControlHash(pkg, exp.ControlHash); err != nil {
+ _ = exp.Close()
+ return nil, err
+ }
+
// If we don't have a cache, we're done.
if d.cache == nil {
return exp, nil
Source: GitHub commit a118c3d. The patch introduces verifyControlHash to compare the downloaded package's control hash against the checksum recorded in the signed APKINDEX.
Detection Methods for CVE-2026-42575
Indicators of Compromise
- Container images built by apko versions earlier than 1.2.7 that include packages whose control hashes do not match the signed APKINDEX entry.
- Build logs referencing apk repositories served over http:// rather than https://, or referencing mirrors outside the organization's allowlist.
- Unexpected binaries, services, or users inside images produced from previously stable apko configurations.
Detection Strategies
- Re-fetch the signed APKINDEX.tar.gz for each repository used in past builds and compare the recorded checksums against the .apk files present in produced image layers.
- Scan published OCI images for package contents that diverge from the expected apk manifest using software bill of materials (SBOM) diffing.
- Audit CI/CD pipelines for any apko invocation pinned to a version older than 1.2.7.
Monitoring Recommendations
- Alert on outbound build traffic to apk mirrors that are not part of an approved repository list.
- Monitor for plaintext HTTP fetches of .apk or APKINDEX.tar.gz from build runners.
- Track apko binary versions across build infrastructure and flag deployments still running pre-1.2.7 releases.
How to Mitigate CVE-2026-42575
Immediate Actions Required
- Upgrade apko to version 1.2.7 or later across all build hosts and CI runners.
- Rebuild and republish any OCI images produced by vulnerable apko versions after confirming the toolchain is patched.
- Restrict apk repository configuration to HTTPS endpoints under organizational control or trusted upstream mirrors.
Patch Information
The fix is included in apko release v1.2.7. Technical details and credit are documented in GHSA-hcwr-pq9g-rq3m. The implementation change is in commit a118c3d, which adds verifyControlHash invocation inside getPackageImpl().
Workarounds
- Pin apk repositories to HTTPS origins under direct organizational control to remove the mirror substitution path until patching completes.
- Run apko builds inside isolated network segments that block egress to untrusted mirrors and CDNs.
- Validate produced images out-of-band by comparing installed package hashes against the signed APKINDEX before publishing.
# Upgrade apko to the patched release
go install chainguard.dev/apko@v1.2.7
# Verify the installed version
apko version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
