CVE-2026-25140
Published: 04 February 2026
Summary
CVE-2026-25140 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Chainguard Apko. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote resource exhaustion (decompression bomb) on build host leading to DoS via application exploitation; maps to T1499.004 with some uncertainty as sub-technique emphasizes crashes over pure exhaustion.
NVD Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host.…
more
The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Deeper analysisAI
CVE-2026-25140 is a vulnerability in apko, a tool for building and publishing OCI container images from apk packages. Affected versions range from 0.14.8 to before 1.1.1. The issue resides in the ExpandApk function within pkg/apk/expandapk/expandapk.go, which expands .apk streams without enforcing decompression limits. This allows a maliciously crafted, highly-compressed .apk file—served as a small input—to inflate into a massive tar stream, leading to excessive disk space and CPU consumption on the build host.
An attacker who controls or compromises an APK repository trusted by apko can exploit this remotely over the network with low complexity and no privileges required. Exploitation triggers resource exhaustion during the build process, resulting in denial of service through build failures, as indicated by the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability has been patched in apko version 1.1.1. The Chainguard security advisory (GHSA-f4w5-5xv9-85f6) and the patching commit (2be3903fe194ad46351840f0569b35f5ac965f09) detail the fix, which security practitioners should review for implementation guidance and upgrade recommendations.
Details
- CWE(s)