Cyber Resilience

CVE-2026-42575

High

Published: 09 May 2026

Published
09 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 5.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42575 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The…

more

checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Missing APK package checksum verification after signed index check directly enables supply-chain compromise via tampered dependencies in apko builds.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69263Shared CWE-494
CVE-2026-22865Shared CWE-494
CVE-2026-34841Shared CWE-494
CVE-2026-22816Shared CWE-494
CVE-2025-34212Shared CWE-494
CVE-2025-24903Shared CWE-345
CVE-2024-50696Shared CWE-494
CVE-2026-33143Shared CWE-345
CVE-2025-1058Shared CWE-494
CVE-2026-27180Shared CWE-494

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345 CWE-494

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345 CWE-494

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

addresses: CWE-345 CWE-494

The control implements verification mechanisms that detect tampering by ensuring data authenticity.

addresses: CWE-494

Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.

addresses: CWE-494

Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.

addresses: CWE-494

Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-494

Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.

References