CVE-2026-42575 Unknown Vendor CVE debrief

Who should care

Teams that use apko to build or publish OCI images from apk packages, especially when downloading from mirrors, HTTP repositories, or cached/CDN-served package sources.

Technical summary

apko verifies the signature on APKINDEX.tar.gz, but prior to 1.2.7 it did not compare each downloaded .apk against the checksum recorded in the signed index. The checksum is parsed and the control hash is computed, but the values are never checked in getPackageImpl(), so mismatched packages can be silently accepted. The result is a network-reachable integrity failure consistent with CWE-345 and CWE-494, with high impact on image contents.

Defensive priority

High

Recommended defensive actions

• Upgrade apko to 1.2.7 or later.
• Rebuild any images created with vulnerable apko versions if package downloads could have been substituted during the build.
• Prefer trusted, authenticated package distribution paths and avoid plain HTTP or otherwise mutable mirrors where possible.
• Review build pipelines, caches, and CDN dependencies for package-source tampering risk.
• Monitor the GitHub security advisory and release notes for any follow-up guidance.

Evidence notes

The supplied CVE description states that apko verified the APKINDEX signature but never compared downloaded .apk packages to the signed checksum, allowing mismatched packages to be accepted. The NVD record and GitHub advisory/release references are the official sources confirming the issue, the fix, and the affected version boundary at 1.2.7. The CVE was published on 2026-05-09.

Official resources