CVE-2026-42575

Name of the Vulnerable Software and Affected Versions apko (affected versions not specified)

Description apko verifies the signature on 'APKINDEX.tar.gz' but fails to compare individually downloaded '.apk' packages against the checksum recorded in the signed index. Although the checksum is parsed via ChecksumString() and the downloaded package control hash is computed, these values are not compared within the getPackageImpl() function. This allows mismatched packages to be silently accepted. An attacker capable of substituting download responses, such as through a compromised mirror, HTTP repository, or poisoned CDN cache, could install arbitrary packages into built images.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.