CVE-2026-29049
Unbounded Disk Write Vulnerability in Melange update-cache Component
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | melange | to 0.40.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29049 is a vulnerability in the melange tool, specifically in the melange update-cache command for versions up to 0.40.5. The issue occurs because the tool downloads URIs from build configurations using io.Copy without any size limits or HTTP client timeouts.
This means that if an attacker controls a URI in a melange configuration, they can cause the tool to download an unlimited amount of data, leading to unbounded disk writes.
As a result, this can exhaust the disk space on the build runner, especially in continuous integration environments, potentially disrupting the build process.
How can this vulnerability impact me? :
This vulnerability can impact you by causing unbounded disk writes on the system running melange, which can exhaust available disk space.
The exhaustion of disk space can lead to denial of service conditions on the build runner, disrupting build processes and availability.
The vulnerability does not affect confidentiality or integrity, but it does affect availability at a low level.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded disk writes caused by the melange update-cache command downloading attacker-controlled URIs without size limits or timeouts. Detection can focus on monitoring disk usage patterns and network activity related to melange processes.
- Monitor disk space usage on build runners or CI environments to detect sudden or unusual disk exhaustion.
- Check running melange processes and their network connections to identify unexpected or suspicious HTTP downloads.
- Use commands like `lsof` or `fuser` to identify files being written by melange processes.
- Use network monitoring tools (e.g., `tcpdump`, `netstat`) to observe outgoing HTTP requests initiated by melange.
- Example commands:
- `df -h` to check disk space usage.
- `ps aux | grep melange` to find running melange processes.
- `lsof -p <melange_pid>` to list open files by melange.
- `tcpdump -i any port 80 or port 443` to capture HTTP/HTTPS traffic.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Since there is no known patch publicly available for this vulnerability, immediate mitigation should focus on limiting exposure and resource consumption.'}, {'type': 'list_item', 'content': 'Avoid running melange update-cache with untrusted or attacker-controlled build configurations.'}, {'type': 'list_item', 'content': 'Implement disk quotas or limits on build runners to prevent disk exhaustion.'}, {'type': 'list_item', 'content': "Use network-level controls such as firewall rules or proxy restrictions to limit melange's ability to download from untrusted URIs."}, {'type': 'list_item', 'content': 'Monitor disk usage and network activity closely during melange operations.'}, {'type': 'list_item', 'content': 'Consider isolating build environments to contain potential resource exhaustion impacts.'}] [1]