CVE-2026-25140
Published: 04 February 2026
Summary
CVE-2026-25140 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Chainguard Apko. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25140 is a vulnerability in apko, a tool for building and publishing OCI container images from apk packages. Affected versions range from 0.14.8 to before 1.1.1. The issue resides in the ExpandApk function within pkg/apk/expandapk/expandapk.go, which expands .apk streams without enforcing decompression limits. This allows a maliciously crafted, highly-compressed .apk file—served as a small input—to inflate into a massive tar stream, leading to excessive disk space and CPU consumption on the build host.
An attacker who controls or compromises an APK repository trusted by apko can exploit this remotely over the network with low complexity and no privileges required. Exploitation triggers resource exhaustion during the build process, resulting in denial of service through build failures, as indicated by the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability has been patched in apko version 1.1.1. The Chainguard security advisory (GHSA-f4w5-5xv9-85f6) and the patching commit (2be3903fe194ad46351840f0569b35f5ac965f09) detail the fix, which security practitioners should review for implementation guidance and upgrade recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5381
Vulnerability details
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host.…
more
The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote resource exhaustion (decompression bomb) on build host leading to DoS via application exploitation; maps to T1499.004 with some uncertainty as sub-technique emphasizes crashes over pure exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation of the known flaw in apko's ExpandApk function through patching to version 1.1.1.
Protects system resource availability by enforcing limits on CPU and disk space during decompression of APK packages to prevent exhaustion attacks.
Validates APK input streams to enforce decompression boundaries and reject maliciously compressed files that inflate into large tar streams.