Description
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
Published: 2026-02-04
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Write
Action: Patch immediately
AI Analysis

Impact

A path traversal flaw in the melange build engine permits an attacker who can supply the input tar stream from a QEMU guest to write arbitrary files outside the intended workspace directory on the host. The flaw lies in the retrieveWorkspace routine, which extracts tar entries without validating that the paths remain within the workspace, thus enabling '../' sequences to escape the intended path. The vulnerability is classified as CWE‑22, indicating improper handling of file paths. An attacker could place malicious payloads or overwrite critical files on the host, potentially escalating privileges or compromising system integrity.

Affected Systems

Chainguard melange versions between 0.11.3 (inclusive) and 0.40.2 (inclusive) are affected. Version 0.40.3 and later contain a patch that validates tar entry paths to prevent out‑of‑directory writes.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that, at present, the probability of exploitation is very low and no widespread exploitation has been observed. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this issue from a position that can influence the tar stream sent by the QEMU guest, which may be a local or privileged attacker with control over the build environment. The path traversal flaw allows them to write arbitrary files, leading to potential compromise of host system integrity.

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to melange 0.40.3 or later where the tar extraction validates paths
  • Ensure that only trusted entities can supply tar streams to the melange process, isolating the QEMU guest from influencing the build input
  • Restrict melange runner permissions and isolate the workspace, for example by running the build in a sandboxed container or chroot environment

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxx2-7h4c-83f4 melange QEMU runner could write files outside workspace directory
History

Wed, 18 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev melange
Vendors & Products Chainguard-dev
Chainguard-dev melange

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
Title melange QEMU runner could write files outside workspace directory
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H'}

Subscriptions

Chainguard Melange
Chainguard-dev Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:33:15.392Z

Reserved: 2026-01-27T14:51:03.059Z

Link: CVE-2026-24843

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:18.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:05.393

Modified: 2026-02-18T15:57:38.797

Link: CVE-2026-24843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses