SCA: security update for chainguard.dev/apko (GHSA-6p9p-q6wh-9j89)

medium Tenable Self-Hosted Container Security Plugin ID 437480

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8
to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard,
gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip
inflation work and lead to resource exhaustion (availability impact). The Split function reads the first
tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without
any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK
streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process
slowdown. This issue has been patched in version 1.1.0. (CVE-2026-25122)

See Also

https://github.com/advisories/GHSA-6p9p-q6wh-9j89

Plugin Details

Severity: Medium

ID: 437480

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 2/4/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-25122

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/3/2026

Vulnerability Publication Date: 2/3/2026

Reference Information

CVE: CVE-2026-25122