Cyber Posture

CVE-2026-42575

High

Published: 09 May 2026

Published
09 May 2026
Modified
09 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 2.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42575 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-7 Software, Firmware, and Information Integrity
addresses: CWE-345 CWE-494

Mandates verification of data authenticity for software, firmware, and information.

SR-4 Provenance
addresses: CWE-345 CWE-494

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

SR-9 Tamper Resistance and Detection
addresses: CWE-345 CWE-494

The control implements verification mechanisms that detect tampering by ensuring data authenticity.

CM-11 User-installed Software
addresses: CWE-494

Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.

CM-14 Signed Components
addresses: CWE-494

Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.

PM-30 Supply Chain Risk Management Strategy
addresses: CWE-494

Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.

PT-8 Computer Matching Requirements
addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

SA-10 Developer Configuration Management
addresses: CWE-494

Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.

NVD Description

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The…

more

checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-345CWE-494

CVEs Like This One

CVE-2026-27180Shared CWE-494
CVE-2025-27680Shared CWE-345
CVE-2026-24775Shared CWE-345
CVE-2025-57431Shared CWE-494
CVE-2025-63910Shared CWE-345
CVE-2026-24772Shared CWE-345
CVE-2024-39805Shared CWE-345
CVE-2026-25921Shared CWE-345
CVE-2025-27593Shared CWE-494
CVE-2026-43534Shared CWE-345

References