CVE-2026-25122 is a resource exhaustion vulnerability classified under CWE-400 found in the chainguard-dev apko tool, which is used to build and publish OCI container images from apk packages. The vulnerability exists in versions 0.14.8 through before 1.1.0 within the expandapk.Split function. This function processes APK archives by reading the first tar header and then draining the remainder of the gzip stream using io.Copy(io.Discard, gzi) without imposing explicit limits on the amount of data decompressed. Because the gzip stream is attacker-controlled, an adversary can craft an APK archive with a highly compressed payload that inflates to a very large size when decompressed. The lack of bounds or inflate-ratio caps causes the function to consume excessive CPU resources during decompression, potentially leading to timeouts or process slowdowns. This results in a denial of service condition impacting availability. The vulnerability requires local or limited access to supply the malicious APK stream and some user interaction to trigger the decompression. There is no impact on confidentiality or integrity. The issue was addressed in apko version 1.1.0 by adding appropriate limits to the decompression process to prevent resource exhaustion. No known exploits are reported in the wild as of the publication date.

For European organizations, the primary impact of CVE-2026-25122 is on the availability of container build pipelines that utilize vulnerable versions of apko. Organizations relying on apko to build OCI container images from apk packages may experience denial of service conditions if an attacker supplies crafted APK archives, causing excessive CPU consumption and process slowdowns or timeouts. This can delay or halt container image creation, impacting continuous integration/continuous deployment (CI/CD) workflows and potentially delaying software releases or updates. While the vulnerability does not compromise confidentiality or integrity, the disruption to availability can affect operational efficiency and service delivery. Organizations with automated build environments exposed to untrusted inputs or third-party APK packages are at higher risk. The absence of known exploits reduces immediate risk, but the medium severity rating and ease of triggering via crafted input warrant prompt remediation to avoid service interruptions.

To mitigate CVE-2026-25122, European organizations should upgrade all instances of apko to version 1.1.0 or later, where the vulnerability has been patched by introducing limits on gzip decompression to prevent resource exhaustion. Until upgrades can be applied, organizations should implement strict input validation and sanitization to ensure that only trusted APK archives are processed by apko. Restricting access to the apko tool and its input sources to authorized personnel and systems reduces the risk of malicious input. Monitoring CPU usage and process performance during container builds can help detect anomalous resource consumption indicative of exploitation attempts. Additionally, integrating resource limits at the operating system or container runtime level (e.g., cgroups or container resource quotas) can prevent a single process from exhausting system resources. Finally, reviewing and hardening CI/CD pipeline security to prevent injection of malicious artifacts is recommended.