CVE-2026-29049

Medium CVSS: 4.3

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

Vendor

Chainguard

Product

Melange

CWE

CWE-400

Yayın Tarihi

2026-03-06 07:16:02

Güncelleme

2026-03-10 19:28:57

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-400 Melange MEDIUM Chainguard 2026

Referanslar

https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc

Benzer Kayıtlar

High

CVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in vers…

Medium

CVE-2026-28407

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior…

High

CVE-2026-25143

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacke…

Medium

CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacke…

High

CVE-2026-24843

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker…

High

CVE-2026-24844

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker…