Login Sign Up

CVE-2026-24843

8.2 HIGH
Path Traversal

📋 TL;DR

CVE-2026-24843 is a path traversal vulnerability in melange that allows attackers to write files outside the intended workspace directory. Attackers who can influence tar streams from QEMU guest VMs can exploit this to potentially overwrite critical system files. Users running melange versions 0.11.3 through 0.40.2 for building apk packages are affected.

💻 Affected Systems

Products:
  • melange
Versions: 0.11.3 to 0.40.2
Operating Systems: Linux, Any OS running melange
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users building apk packages with melange using QEMU guest VMs.

📦 What is this software?

Melange by Chainguard

View all CVEs affecting Melange →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file write leading to remote code execution, privilege escalation, or data destruction.

🟠

Likely Case

Unauthorized file writes to sensitive locations, potentially disrupting system operations or enabling further attacks.

🟢

If Mitigated

Limited impact if proper sandboxing and isolation are in place, though file system integrity could still be compromised.

🌐 Internet-Facing: MEDIUM - Requires ability to influence tar streams from QEMU guests, which typically involves some level of access.
🏢 Internal Only: HIGH - Internal attackers with VM access could exploit this to compromise build infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to influence tar streams from QEMU guest VMs, which typically requires some level of access or control over the build process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.40.3

Vendor Advisory: https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4

Restart Required: No

Instructions:

1. Update melange to version 0.40.3 or later using your package manager. 2. Verify the update was successful. 3. No restart required as melange is a build tool.

🔧 Temporary Workarounds

Restrict QEMU guest access

linux

Limit who can control or influence QEMU guest VMs used by melange.

Use isolated build environments

linux

Run melange in containerized or sandboxed environments with restricted filesystem access.

🧯 If You Can't Patch

  • Implement strict access controls on who can submit or modify build pipelines.
  • Monitor file system writes outside workspace directories and implement integrity checking.

🔍 How to Verify

Check if Vulnerable:

Check melange version: if between 0.11.3 and 0.40.2 inclusive, you are vulnerable.

Check Version:

melange version

Verify Fix Applied:

Verify melange version is 0.40.3 or later and test that path traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • File writes outside workspace directories
  • Path traversal patterns in tar extraction logs
  • Unexpected file modifications in system directories

Network Indicators:

  • Unusual network activity from build systems
  • Suspicious tar stream transfers

SIEM Query:

Search for melange process writing files with '../' patterns or outside expected workspace paths.

📊 Metadata

CVE ID: CVE-2026-24843
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
CWE: CWE-22
EPSS Score: 0.02% exploit probability (4.3th percentile)
Published: February 4, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24843, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)