CVE-2026-29049 - Vulnerability Details

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Chainguard	Melange
Chainguard-dev	Melange

Configuration 1 [-]

cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc

History

Tue, 10 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chainguard Chainguard melange
CPEs		cpe:2.3:a:chainguard:melange::::::go::*
Vendors & Products		Chainguard Chainguard melange

Mon, 09 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chainguard-dev Chainguard-dev melange
Vendors & Products		Chainguard-dev Chainguard-dev melange

Fri, 06 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
Title		melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
Weaknesses		CWE-400 CWE-918
References		https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T07:03:10.361Z

Updated: 2026-03-09T20:00:19.899Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29049

Vulnrichment

Updated: 2026-03-09T20:00:14.380Z

NVD

Status : Analyzed

Published: 2026-03-06T07:16:02.093

Modified: 2026-03-10T19:28:57.330

Link: CVE-2026-29049

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object