THREAT OPS › Threat News › [GHSA] GHSA-fpg8-7664-jc5q (high) — melange: Incomplete package integrity verification allows data section substitution
[GHSA] GHSA-fpg8-7664-jc5q (high) — melange: Incomplete package integrity verification allows data section substitution
GHSA-fpg8-7664-jc5q Severity: high CVE: CVE-2026-54174
melange: Incomplete package integrity verification allows data section substitution
Previously, Apko verified the control section hash (`.PKGINFO` etc.) against the signed `APKINDEX`, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a pa
Indicators of compromise
- CVE-2026-54174cve
Original source: https://github.com/advisories/GHSA-fpg8-7664-jc5q