THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-fpg8-7664-jc5q (high) — melange: Incomplete package integrity verification allows data section substitution

[GHSA] GHSA-fpg8-7664-jc5q (high) — melange: Incomplete package integrity verification allows data section substitution

medgithub_advisoriesPublished 2026-07-10

GHSA-fpg8-7664-jc5q Severity: high CVE: CVE-2026-54174

melange: Incomplete package integrity verification allows data section substitution

Previously, Apko verified the control section hash (`.PKGINFO` etc.) against the signed `APKINDEX`, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a pa

Indicators of compromise

Original source: https://github.com/advisories/GHSA-fpg8-7664-jc5q