Cyber Resilience

CVE-2026-25140

HighDDoS

Published: 04 February 2026

Published
04 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 12.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25140 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Chainguard Apko. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25140 is a vulnerability in apko, a tool for building and publishing OCI container images from apk packages. Affected versions range from 0.14.8 to before 1.1.1. The issue resides in the ExpandApk function within pkg/apk/expandapk/expandapk.go, which expands .apk streams without enforcing decompression limits. This allows a maliciously crafted, highly-compressed .apk file—served as a small input—to inflate into a massive tar stream, leading to excessive disk space and CPU consumption on the build host.

An attacker who controls or compromises an APK repository trusted by apko can exploit this remotely over the network with low complexity and no privileges required. Exploitation triggers resource exhaustion during the build process, resulting in denial of service through build failures, as indicated by the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).

The vulnerability has been patched in apko version 1.1.1. The Chainguard security advisory (GHSA-f4w5-5xv9-85f6) and the patching commit (2be3903fe194ad46351840f0569b35f5ac965f09) detail the fix, which security practitioners should review for implementation guidance and upgrade recommendations.

EU & UK References

Vulnerability details

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host.…

more

The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote resource exhaustion (decompression bomb) on build host leading to DoS via application exploitation; maps to T1499.004 with some uncertainty as sub-technique emphasizes crashes over pure exhaustion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25121Same product: Chainguard Apko
CVE-2026-25762Shared CWE-400, CWE-770
CVE-2026-25673Shared CWE-400, CWE-770
CVE-2026-40192Shared CWE-400, CWE-770
CVE-2026-34826Shared CWE-400, CWE-770
CVE-2026-42583Shared CWE-400, CWE-770
CVE-2026-25535Shared CWE-400, CWE-770
CVE-2026-41309Shared CWE-400, CWE-770
CVE-2025-70069Shared CWE-400, CWE-770
CVE-2025-68272Shared CWE-400, CWE-770

Affected Assets

chainguard
apko
0.14.8 — 1.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the known flaw in apko's ExpandApk function through patching to version 1.1.1.

prevent

Protects system resource availability by enforcing limits on CPU and disk space during decompression of APK packages to prevent exhaustion attacks.

prevent

Validates APK input streams to enforce decompression boundaries and reject maliciously compressed files that inflate into large tar streams.

References