CVE-2026-42574 Unknown Vendor CVE debrief

Who should care

Teams that build OCI images with apko, especially if they consume apk packages from less-trusted sources or run builds in environments where the build user can write to sensitive host paths. Anyone running affected apko versions from 0.14.8 up to before 1.2.5 should prioritize review.

Technical summary

The advisory describes a tar processing flaw in apko’s handling of .apk contents. An attacker-controlled TypeSymlink entry can point outside the extraction/build root. If a later archive entry creates a directory or writes a file through that symlink, the path resolution can escape the intended root and affect host locations writable by the build user. The source advisory maps this to CWE-22 and CWE-59, and NVD lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Defensive priority

High. The impact is integrity-focused tampering of build-system host paths, which can compromise image build outputs or the build environment. Upgrade is straightforward and should be treated as a priority for any affected build pipeline.

Recommended defensive actions

• Upgrade apko to version 1.2.5 or later.
• Identify any build pipelines using apko versions 0.14.8 through before 1.2.5 and schedule remediation.
• Rebuild images produced by affected versions after upgrading.
• Review whether your build environment allows the build user to write to sensitive host locations and tighten permissions where possible.
• Prefer trusted, validated apk inputs and review package provenance in image build workflows.
• Monitor build logs and host filesystems for unexpected writes or extraction behavior around image builds.

Evidence notes

The affected range and fix version come from the CVE description and GitHub Security Advisory references. NVD shows the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N and lists CWE-22 and CWE-59. The advisory and release references point to the fixing commit, pull request, and apko v1.2.5 release.

Official resources