High severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
melange QEMU runner could write files outside workspace directory
CVE-2026-24843
Description
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chainguard.dev/melangeGo | >= 0.11.3, < 0.40.3 | 0.40.3 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/cgpkg:apk/chainguard/wolfictlpkg:apk/wolfi/wolfictlpkg:golang/chainguard.dev/melangepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.2.201-r0+ 4 more
- (no CPE)range: < 0.2.201-r0
- (no CPE)range: < 0.39.0-r1
- (no CPE)range: < 0.39.0-r1
- (no CPE)range: >= 0.11.3, < 0.40.3
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
- Range: >= 0.11.3, < 0.40.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-qxx2-7h4c-83f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24843ghsaADVISORY
- github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612bghsax_refsource_MISCWEB
- github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.