CVE-2026-29049 in melange
Summary
by MITRE • 03/06/2026
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-29049 affects the melange package management system used for building apk packages through declarative pipelines. This issue exists in versions 0.40.5 and earlier where the update-cache functionality fails to implement proper safeguards when downloading resources from build configurations. The core problem lies in how melange handles remote URI downloads during the caching process, specifically within the pkg/renovate/cache/cache.go component where io.Copy operations are executed without any constraints on data transfer size or network timeout parameters.
The technical flaw represents a classic case of insufficient input validation and resource limitation controls that can be exploited by malicious actors who gain control over melange configuration files. When an attacker can manipulate the build configuration to include a specially crafted URI, they can initiate a download operation that proceeds without any upper bounds on the amount of data that can be transferred or written to disk. This vulnerability directly maps to CWE-770, which describes allocation of resources without limits or proper checking, and also aligns with CWE-400, addressing unspecified resource exhaustion conditions that can lead to denial of service scenarios.
The operational impact of this vulnerability is severe as it can lead to complete system compromise through disk exhaustion attacks. An attacker who controls a melange configuration file can cause the build runner to consume all available disk space by downloading arbitrarily large files from remote sources, effectively rendering the build environment unusable and potentially causing cascading failures in dependent systems. This type of attack falls under the ATT&CK technique T1499.001, which covers network denial of service attacks, and specifically targets the resource consumption aspect of system compromise. The vulnerability is particularly dangerous in automated build environments where multiple configurations might be processed sequentially, allowing for cumulative disk exhaustion effects.
The lack of a publicly available patch for this vulnerability creates a significant risk for organizations relying on melange for package building operations, as they remain exposed to potential exploitation without any immediate remediation path. Organizations should implement immediate mitigations such as restricting access to melange configuration files, implementing network-level restrictions to prevent access to untrusted URIs, and monitoring disk usage patterns for unusual consumption. Additionally, manual code reviews should be conducted to identify and remove any potentially malicious URIs from existing configurations, while also considering temporary workarounds that involve local caching of all required resources before initiating build processes. The vulnerability demonstrates the critical importance of implementing proper resource limits and timeout mechanisms in network operations, particularly in systems that process untrusted input through automated pipelines.