CVE-2026-29049
MEDIUM EPSS 7.4%
Published Mar 6, 20263mo ago · Modified Mar 10, 20263mo ago
4.3 CVSS 3.1
Published Mar 6, 2026 3mo ago
Last Modified Mar 10, 2026 3mo ago
Description
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability Low
Threat Intelligence
EPSS Exploit Probability
7.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-918 Server-Side Request Forgery (SSRF) Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| chainguard | melange | * | ≤0.40.5 |
References 1
- github.com https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.