Threat Advisory

Rekor Vulnerability Enables Unbounded Decompression

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-48702 with a CVSS score of 7.5 is a high-severity vulnerability in the Rekor package, specifically affecting versions 0.3.0 to 1.5.2, where the `Package.Unmarshal()` function in `pkg/types/alpine/apk.go` is susceptible to an out-of-memory condition due to unbounded gzip decompression in Alpine APK parsing logic, allowing an attacker to craft a malicious gzip stream that decompresses at a high ratio, triggering a fatal out-of-memory error when submitted via unauthenticated endpoints, such as POST /api /v1 /log /entries or POST /api /v1 /log /entries /retrieve, which invokes the vulnerable `apk .Unmarshal()` function, granting the attacker the capability to cause a denial-of-service, resulting in significant business impact and consequences, including system crashes and potential data loss, requiring no specific access or privileges, but prerequisites for exploitation include the ability to submit a crafted gzip stream to the vulnerable endpoints, which can be done with minimal effort and resources.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-48702 with a CVSS score of 7.5 is a high-severity vulnerability in the Rekor package, specifically affecting versions 0.3.0 to 1.5.2, where the `Package.Unmarshal()` function in `pkg/types/alpine/apk.go` is susceptible to an out-of-memory condition due to unbounded gzip decompression in Alpine APK parsing logic, allowing an attacker to craft a malicious gzip stream that decompresses at a high ratio, triggering a fatal out-of-memory error when submitted via unauthenticated endpoints, such as POST /api /v1 /log /entries or POST /api /v1 /log /entries /retrieve, which invokes the vulnerable `apk .Unmarshal()` function, granting the attacker the capability to cause a denial-of-service, resulting in significant business impact and consequences, including system crashes and potential data loss, requiring no specific access or privileges, but prerequisites for exploitation include the ability to submit a crafted gzip stream to the vulnerable endpoints, which can be done with minimal effort and resources.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update rekor to version 1.5.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-47q9-m4ww-924m

[/emaillocker]
crossmenu