CVE-2026-42576
MEDIUMDescription
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.
Is your site exposed to CVE-2026-42576?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-42576? +
How severe is CVE-2026-42576? +
How do I check if I'm vulnerable to CVE-2026-42576? +
Related Vulnerabilities
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in …
Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a …
Type confusion in Snapchat LensCore could lead to denial of service or arbitrary code execution prior to version 12.88. We …
An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to …
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This …
A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The …