CVE-2026-42576 chainguard-dev CVE debrief

Who should care

Teams using apko to initialize APK databases or fetch repository keys should pay attention, especially if they rely on external or mixed-format JWKS endpoints. Operators who build or publish OCI images with apko should prioritize updating.

Technical summary

In pkg/apk/apk/implementation.go, DiscoverKeys unconditionally type-asserts JWKS keys as *rsa.PublicKey without verifying the actual key type. When a repository JWKS endpoint returns a non-RSA key, such as an EC key, the unchecked assertion triggers a panic. The impact is availability-only: the apko process can crash during workflows that initialize the APK database and retrieve repository keys. The vulnerability is mapped to CWE-704 and carries CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium. This is a crash/availability issue rather than a confidentiality or integrity compromise, but it can disrupt image build and publishing workflows that depend on apko.

Recommended defensive actions

• Upgrade apko to version 1.2.7 or later.
• Review any use of apko that consumes repository JWKS data, especially if the key type is not tightly controlled.
• Validate JWKS key types before passing them into key-discovery logic in dependent code or integrations.
• Monitor build and publishing pipelines for unexpected apko panics or crashes after key retrieval.
• If you maintain a repository or JWKS endpoint, ensure it returns key types that are compatible with the consuming client expectations.

Evidence notes

The supplied advisory text states that DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey, and that a non-RSA key from a repository JWKS endpoint can panic and crash apko. The source corpus also identifies the fix in commit 6604826b19e36e9bc6e196592800fad93738f4a1 and release v1.2.7, with CWE-704 and CVSS v3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Official resources