CVE-2026-29049 Overview
CVE-2026-29049 is a Resource Exhaustion vulnerability affecting Chainguard Melange, a tool that allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, the melange update-cache command downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout in the pkg/renovate/cache/cache.go file. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk space on the build runner.
Critical Impact
An attacker can craft a malicious melange configuration file containing attacker-controlled URIs that trigger unbounded disk writes, leading to denial of service through disk exhaustion on build runners. This is particularly concerning in CI/CD environments where build runners may be shared resources.
Affected Products
- Chainguard Melange version 0.40.5 and prior versions
- Go-based implementations of Melange package builder
- Build runners using affected Melange versions
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29049 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29049
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The flaw exists in the cache handling functionality of Melange, specifically within pkg/renovate/cache/cache.go. When processing build configurations, the update-cache command fetches resources from URIs specified in the configuration files.
The core issue is that the implementation uses Go's io.Copy function to download content from these URIs without implementing two critical safeguards: a maximum size limit for downloaded content and an HTTP client timeout. This allows an attacker who can influence the build configuration to specify a URI that serves an extremely large or infinitely streaming response.
In shared build environments or CI/CD pipelines, this vulnerability can be weaponized to consume all available disk space, causing build failures, service disruptions, and potentially affecting other processes running on the same system.
Root Cause
The root cause is improper resource management in the cache download functionality. The io.Copy function in Go will continue copying data until EOF is received or an error occurs. Without a size limit, the function will write data indefinitely if the remote server continues to provide content. Additionally, the absence of HTTP client timeouts means connections can remain open indefinitely, allowing slow-drip attacks that gradually exhaust resources.
Attack Vector
The attack requires user interaction as the victim must process a malicious melange configuration file containing an attacker-controlled URI. The attacker would craft a configuration file pointing to a resource that either:
- Serves an extremely large file that exceeds available disk space
- Streams data indefinitely without closing the connection
- Implements a slow-drip attack to avoid detection while gradually consuming resources
When a developer or build system executes melange update-cache with this malicious configuration, the unbounded write operation begins, eventually exhausting disk space on the build runner.
The vulnerability is exploited through the network attack vector, requiring no privileges on the target system but requiring user interaction to process the malicious configuration.
Detection Methods for CVE-2026-29049
Indicators of Compromise
- Unusual disk space consumption on build runners or CI/CD systems
- Long-running or stalled melange update-cache processes
- HTTP connections to unknown or suspicious external URIs from build environments
- Build failures due to disk exhaustion without obvious cause
Detection Strategies
- Monitor disk usage patterns on build runners for sudden spikes or gradual unexpected increases
- Implement alerting on melange update-cache processes that run longer than expected thresholds
- Review melange configuration files for URIs pointing to untrusted or unknown external sources
- Audit network traffic from build environments for connections to suspicious endpoints
Monitoring Recommendations
- Set up disk space monitoring and alerting with appropriate thresholds on all build runners
- Implement process monitoring to track execution time of melange commands
- Use network monitoring to detect unusually long-lived HTTP connections from build processes
- Review and validate all external URIs in melange configurations before processing
How to Mitigate CVE-2026-29049
Immediate Actions Required
- Audit all melange configuration files and remove or validate URIs from untrusted sources
- Implement disk quota limits on build runner file systems to contain potential resource exhaustion
- Review CI/CD pipeline configurations to ensure only trusted configuration files are processed
- Consider temporarily restricting network access from build environments to known-good sources
Patch Information
According to the GitHub Security Advisory, there is no known patch publicly available at this time. Organizations should monitor the upstream repository for security updates and apply patches as soon as they become available.
Workarounds
- Only process melange configuration files from trusted and validated sources
- Implement external download size limits at the network or proxy level
- Use containerized build environments with strict disk quotas to limit blast radius
- Configure network-level timeouts for outbound HTTP connections from build environments
- Implement pre-build validation scripts to check URIs in configuration files against an allowlist
Until an official patch is released, organizations should implement defense-in-depth measures by combining multiple workarounds to reduce the risk of exploitation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
