Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Melange: Unbounded Disk Writes from Malicious Build Configs
CVE-2026-29049
GHSA-7rp8-r62p-q6wc
GHSA-7rp8-r62p-q6wc
Summary
Melange's build feature allows an attacker to exhaust a system's disk space by creating a malicious build configuration. This can lead to build failures and potential system crashes. Users should update to the latest version to prevent this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| chainguard.dev | melange | <= 0.40.5 | – |
| melange | chainguard.dev/melange | <= 0.40.5 | – |
| chainguard | melange | <= 0.40.5 | – |
Original title
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTT...
Original description
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
nvd CVSS3.1
4.3
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-918
Server-Side Request Forgery (SSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026