PT-2026-57371 · Go · Chainguard.Dev/Apko+1
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-54174
CVSS v3.1
8.3
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Previously, Apko verified the control section hash (
.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Chainguard.Dev/Apko
Chainguard.Dev/Melange