What is CVE-2026-25122?

CVE-2026-25122 is a medium-severity vulnerability in Chainguard-dev Apko, classified under Uncontrolled Resource Consumption. CVSS score: 5.5/10. Published 2026-02-04.

How severe is CVE-2026-25122?

Medium severity. CVSS v3 base score is 5.5 out of 10.

Resource exhaustion in Chainguard-dev Apko

CVE-2026-25122

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Affected products

Chainguard-dev Apko — versions >= 0.14.8, < 1.1.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89 (x_refsource_CONFIRM)
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25122?: CVE-2026-25122 is a medium-severity vulnerability in Chainguard-dev Apko, classified under Uncontrolled Resource Consumption. CVSS score: 5.5/10. Published 2026-02-04.
How severe is CVE-2026-25122?: Medium severity. CVSS v3 base score is 5.5 out of 10.