CVE-2026-48702
ADVISORY - githubSummary
Description
The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.
An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.
This is reachable via two unauthenticated endpoints:
- POST /api/v1/log/entries (createLogEntry)
- POST /api/v1/log/entries/retrieve (searchLogQuery)
Both invoke V001Entry.Canonicalize() → fetchExternalEntities() → apk.Unmarshal(packageData), which performs the unbounded decompression.
Workarounds
There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.
Common Weakness Enumeration (CWE)
Allocation of Resources Without Limits or Throttling
GitHub
3.9
CVSS SCORE
7.5highGoLang
-
Chainguard
CGA-6mjq-v293-wr6f
-
minimos
MINI-262p-9mfq-x47r
-
minimos
MINI-2mjr-fc9q-8gx3
-
minimos
MINI-2p4f-hphh-5999
-
minimos
MINI-2pcg-g68g-q46f
-
minimos
MINI-2v36-pmmg-v9x5
-
minimos
MINI-2v4f-6299-hc45
-
minimos
MINI-3v39-p98g-3vjg
-
minimos
MINI-3wh8-5jxc-f2r9
-
minimos
MINI-46g2-qq9m-ffqg
-
minimos
MINI-52cv-95rh-c6c4
-
minimos
MINI-546r-jg95-vx6r
-
minimos
MINI-54p2-xhfw-j7gh
-
minimos
MINI-56pf-3jjw-7q42
-
minimos
MINI-59mw-jmc8-wv49
-
minimos
MINI-5gm4-3xq9-cfqm
-
minimos
MINI-5jjv-jrv7-cqpj
-
minimos
MINI-5x2w-4665-7pc7
-
minimos
MINI-6ggm-3f39-5m3v
-
minimos
MINI-6v2r-gvpf-j47r
-
minimos
MINI-78v5-2325-97m6
-
minimos
MINI-8rh3-c5jx-xmp6
-
minimos
MINI-c5cg-hhc7-f4qm
-
minimos
MINI-c5gf-9rx7-89fw
-
minimos
MINI-c8qj-cwhf-mv68
-
minimos
MINI-ccpx-g9q9-h5w4
-
minimos
MINI-cg8q-6vgh-58rf
-
minimos
MINI-f645-vf77-h376
-
minimos
MINI-f66w-4r26-7833
-
minimos
MINI-fccg-j5m7-r3r8
-
minimos
MINI-fv8x-qh62-83r7
-
minimos
MINI-g536-2xv3-f6mc
-
minimos
MINI-gc7f-hwcx-5hv3
-
minimos
MINI-gr3x-cwg5-v2p3
-
minimos
MINI-grhp-mmv6-9fvv
-
minimos
MINI-gvxf-3gq2-v6hv
-
minimos
MINI-gwhv-5247-xmgh
-
minimos
MINI-h24w-9hqh-fwq3
-
minimos
MINI-hmjp-4p7v-7rpq
-
minimos
MINI-j4xr-47qh-5jgh
-
minimos
MINI-j8c7-vw62-rgpj
-
minimos
MINI-jmh9-gcf4-g9jg
-
minimos
MINI-p5wg-4f8f-r364
-
minimos
MINI-pvq6-jqj6-f5q3
-
minimos
MINI-q5m2-375r-wg7p
-
minimos
MINI-q6r5-3r4m-m22c
-
minimos
MINI-q8vr-7jhx-h95w
-
minimos
MINI-qrvj-wwjc-r73f
-
minimos
MINI-r55q-v3px-673p
-
minimos
MINI-rgph-v5qx-3h52
-
minimos
MINI-rr5f-2ph5-83m4
-
minimos
MINI-vxvh-fm97-jvh9
-
minimos
MINI-wrm5-9r79-r8gg
-
minimos
MINI-wxr8-f454-h8hf
-
minimos
MINI-x55v-mhmj-3fg9
-
minimos
MINI-xp2h-fx9v-v7h2
-
minimos
MINI-xp2w-6jrx-fj3p
-