CVE-2026-42576 Overview
CVE-2026-42576 is a denial of service vulnerability in apko, a tool from Chainguard that builds and publishes Open Container Initiative (OCI) container images from apk packages. The flaw resides in the DiscoverKeys function in pkg/apk/apk/implementation.go, which performs an unchecked type assertion on JSON Web Key Set (JWKS) keys retrieved from repository endpoints. When a repository returns a non-RSA key such as an Elliptic Curve (EC) key, the assertion panics and crashes the apko process. Any workflow that initializes the APK database and fetches repository keys is affected. The issue has been patched in version 1.2.7.
Critical Impact
A malicious or misconfigured repository JWKS endpoint can crash apko build pipelines by returning a non-RSA key, halting container image build and publish workflows.
Affected Products
- Chainguard apko versions prior to 1.2.7
- Build pipelines and CI systems invoking apko against external repositories
- Workflows initializing the APK database with remote JWKS key discovery
Discovery Timeline
- 2026-05-09 - CVE-2026-42576 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42576
Vulnerability Analysis
The vulnerability is an [CWE-704] incorrect type conversion in the DiscoverKeys function within pkg/apk/apk/implementation.go. The function iterates over keys returned from a repository's JWKS endpoint and unconditionally type-asserts each key as *rsa.PublicKey before passing it to x509.MarshalPKIXPublicKey. Go's type assertion without the comma-ok idiom triggers a runtime panic when the underlying concrete type differs from the asserted type. If a repository returns an EC key, an OKP key, or any other JWK algorithm, the assertion fails and the apko process terminates.
The attacker-controlled input is the JWKS document served by the repository host. Because apko fetches and parses these keys during APK database initialization, a single malformed key entry is sufficient to disrupt the entire build. The crash propagates to any orchestration layer invoking apko, including CI/CD pipelines producing release artifacts.
Root Cause
The root cause is the absence of a type-check guard before the type assertion. The original code path assumed all JWKS keys would be RSA without validating the algorithm metadata or using a safe assertion pattern. Any deviation from RSA causes an unrecoverable panic rather than a handled error.
Attack Vector
Exploitation requires the victim to invoke apko against a repository whose JWKS endpoint returns a non-RSA key. The vector is network-based and requires user interaction in the form of executing a build. Confidentiality and integrity are not impacted; only availability is affected through process termination.
// Patched code in pkg/apk/apk/implementation.go
// Source: https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1
}
keyName := key.KeyID + ".rsa.pub"
- b, err := x509.MarshalPKIXPublicKey(key.Key.(*rsa.PublicKey))
+ rsaKey, ok := key.Key.(*rsa.PublicKey)
+ if !ok {
+ return nil, fmt.Errorf("unsupported JWKS key type %T for key %q: expected *rsa.PublicKey", key.Key, key.KeyID)
+ }
+ b, err := x509.MarshalPKIXPublicKey(rsaKey)
if err != nil {
return nil, err
} else if len(b) == 0 {
The patch replaces the unchecked assertion with the comma-ok form and returns a descriptive error when a non-RSA key is encountered. See the GitHub Security Advisory GHSA-m7hm-vm4x-28jf for additional detail.
Detection Methods for CVE-2026-42576
Indicators of Compromise
- Unexpected apko process termination with a Go runtime panic referencing *rsa.PublicKey interface conversion
- CI/CD pipeline failures during the APK database initialization phase
- Repository JWKS endpoints serving keys with kty values other than RSA
Detection Strategies
- Audit build logs for Go panic stack traces mentioning pkg/apk/apk/implementation.go and DiscoverKeys
- Inventory all apko binaries in build infrastructure and compare versions against 1.2.7
- Monitor outbound requests from build agents to unfamiliar APK repository hosts
Monitoring Recommendations
- Alert on apko exit codes indicating runtime panic versus normal failure
- Track build pipeline reliability metrics for sudden spikes in crash-related failures
- Log and review repository URLs supplied to apko invocations across CI jobs
How to Mitigate CVE-2026-42576
Immediate Actions Required
- Upgrade apko to version 1.2.7 or later across all build hosts and container images
- Pin trusted APK repository URLs in build configurations to prevent redirection to untrusted JWKS endpoints
- Rebuild and republish any images produced by vulnerable apko versions to confirm pipeline integrity
Patch Information
Chainguard released the fix in apko v1.2.7. The patch commit 6604826 introduces a safe type assertion and returns a structured error for unsupported JWKS key types instead of panicking.
Workarounds
- Restrict apko to repositories known to publish RSA JWKS keys until upgrade is complete
- Run apko invocations under a supervisor that restarts builds and surfaces panic conditions for triage
- Use network egress controls to limit build agents to allowlisted repository hosts
# Verify installed apko version and upgrade
apko version
go install chainguard.dev/apko@v1.2.7
# Confirm upgrade
apko version | grep -E "1\.2\.[7-9]|1\.[3-9]"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
