What is CVE-2026-25140?

CVE-2026-25140 is a high-severity vulnerability in Chainguard-dev Apko, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-02-04.

How severe is CVE-2026-25140?

High severity. CVSS v3 base score is 7.5 out of 10.

Resource exhaustion in Chainguard-dev Apko

CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build h…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Chainguard-dev Apko — versions >= 0.14.8, < 1.1.1

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 (x_refsource_CONFIRM)
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25140?: CVE-2026-25140 is a high-severity vulnerability in Chainguard-dev Apko, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-02-04.
How severe is CVE-2026-25140?: High severity. CVSS v3 base score is 7.5 out of 10.