HomeCVE Intelligence › CVE-2026-42575
CVSS 7.5 HIGH Vulnerability

CVE-2026-42575: apko doesn't verify downloaded apk packages against APKINDEX checksum (package substituti…

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and t…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-42575
Vendorgo
Affected Productchainguard.dev/apko
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. Fix: No fix available yet. Acknowledgements apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

🎯 Known Indicators of Compromise

{"type":"url","value":"https://1seal.org/)","confidence_score":0.82,"first_seen":"2026-05-04","source_count":1} {"type":"domain","value":"1seal.org","confidence_score":0.75,"first_seen":"2026-05-04","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-42575 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence