CVE-2026-29049
📋 TL;DR
This vulnerability in melange allows attackers to cause disk exhaustion on build runners by specifying malicious URIs in build configurations. The update-cache function downloads files without size limits or timeouts, enabling unbounded disk writes. Users running melange version 0.40.5 or earlier for APK package building are affected.
💻 Affected Systems
- melange
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disk exhaustion on build runners causing service disruption, data loss, and potential denial of service for all builds on affected systems.
Likely Case
Build runner disk space exhaustion leading to failed builds and temporary service disruption until disk space is manually cleared.
If Mitigated
Controlled disk usage with monitoring alerts triggering before critical exhaustion, allowing proactive intervention.
🎯 Exploit Status
Exploitation requires ability to modify melange build configurations or inject malicious URIs into build pipelines.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
Restart Required: No
Instructions:
No official patch available. Monitor vendor advisory for updates and apply when released.
🔧 Temporary Workarounds
Implement URI validation and restrictions
allRestrict melange configurations to only allow URIs from trusted sources and implement URI validation.
Set disk quotas on build runners
linuxImplement filesystem quotas to limit disk usage per build process or user.
# Linux example: setquota -u builduser 1000000 1200000 0 0 /
🧯 If You Can't Patch
- Monitor disk usage on build runners with aggressive alerting thresholds
- Restrict who can submit melange build configurations and implement code review for config changes
🔍 How to Verify
Check if Vulnerable:
Check melange version: melange version. If version is 0.40.5 or earlier, system is vulnerable.Check Version:
melange versionVerify Fix Applied:
When patch becomes available, verify version is greater than 0.40.5 and test update-cache functionality with controlled URIs.📡 Detection & Monitoring
Log Indicators:
- Rapid disk space consumption on build runners
- Large file downloads in melange logs
- Failed builds due to disk space errors
Network Indicators:
- Unusual outbound connections from build runners to external URIs
- Large data transfers to build runners
SIEM Query:
source="melange" AND ("update-cache" OR "downloading") AND size>1000000000