CVE-2026-29049
Received Received - Intake
Unbounded Disk Write Vulnerability in Melange update-cache Component

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29049
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chainguard melange to 0.40.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29049 is a vulnerability in the melange tool, specifically in the melange update-cache command for versions up to 0.40.5. The issue occurs because the tool downloads URIs from build configurations using io.Copy without any size limits or HTTP client timeouts.

This means that if an attacker controls a URI in a melange configuration, they can cause the tool to download an unlimited amount of data, leading to unbounded disk writes.

As a result, this can exhaust the disk space on the build runner, especially in continuous integration environments, potentially disrupting the build process.

Impact Analysis

This vulnerability can impact you by causing unbounded disk writes on the system running melange, which can exhaust available disk space.

The exhaustion of disk space can lead to denial of service conditions on the build runner, disrupting build processes and availability.

The vulnerability does not affect confidentiality or integrity, but it does affect availability at a low level.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves unbounded disk writes caused by the melange update-cache command downloading attacker-controlled URIs without size limits or timeouts. Detection can focus on monitoring disk usage patterns and network activity related to melange processes.

  • Monitor disk space usage on build runners or CI environments to detect sudden or unusual disk exhaustion.
  • Check running melange processes and their network connections to identify unexpected or suspicious HTTP downloads.
  • Use commands like `lsof` or `fuser` to identify files being written by melange processes.
  • Use network monitoring tools (e.g., `tcpdump`, `netstat`) to observe outgoing HTTP requests initiated by melange.
  • Example commands:
  • `df -h` to check disk space usage.
  • `ps aux | grep melange` to find running melange processes.
  • `lsof -p <melange_pid>` to list open files by melange.
  • `tcpdump -i any port 80 or port 443` to capture HTTP/HTTPS traffic.
Mitigation Strategies

[{'type': 'paragraph', 'content': 'Since there is no known patch publicly available for this vulnerability, immediate mitigation should focus on limiting exposure and resource consumption.'}, {'type': 'list_item', 'content': 'Avoid running melange update-cache with untrusted or attacker-controlled build configurations.'}, {'type': 'list_item', 'content': 'Implement disk quotas or limits on build runners to prevent disk exhaustion.'}, {'type': 'list_item', 'content': "Use network-level controls such as firewall rules or proxy restrictions to limit melange's ability to download from untrusted URIs."}, {'type': 'list_item', 'content': 'Monitor disk usage and network activity closely during melange operations.'}, {'type': 'list_item', 'content': 'Consider isolating build environments to contain potential resource exhaustion impacts.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart