CVE-2026-29049

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29049

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29049.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29049

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-06T07:03:10.361Z

Modified

2026-04-10T05:41:27.035137Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

Details

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

Database specific

{
    "cwe_ids": [
        "CWE-400",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29049.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/chainguard-dev/melange

Affected ranges

Type

GIT

Repo

https://github.com/chainguard-dev/melange

Events

Introduced

Last affected

0f2f34dda06a67ca7b5952fe3f1f66edddfe17f1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.40.5"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.11.5

v0.11.6

v0.12.0

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.13.5

v0.13.6

v0.13.7

v0.14.0

v0.14.1

v0.14.10

v0.14.11

v0.14.2

v0.14.3

v0.14.4

v0.14.5

v0.14.6

v0.14.7

v0.14.8

v0.14.9

v0.15.0

v0.15.1

v0.15.10

v0.15.11

v0.15.12

v0.15.13

v0.15.14

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15.8

v0.15.9

v0.16.0

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.17.7

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.19.4

v0.19.5

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.21.2

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.23.1

v0.23.10

v0.23.11

v0.23.12

v0.23.13

v0.23.14

v0.23.15

v0.23.16

v0.23.17

v0.23.2

v0.23.3

v0.23.4

v0.23.5

v0.23.6

v0.23.7

v0.23.8

v0.23.9

v0.24.0

v0.25.0

v0.25.1

v0.26.0

v0.26.1

v0.26.10

v0.26.11

v0.26.12

v0.26.13

v0.26.2

v0.26.3

v0.26.4

v0.26.5

v0.26.6

v0.26.7

v0.26.8

v0.26.9

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.29.2

v0.29.3

v0.29.4

v0.29.5

v0.29.6

v0.29.7

v0.30.0

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.30.5

v0.30.6

v0.31.0

v0.31.1

v0.31.2

v0.31.3

v0.31.4

v0.31.5

v0.31.6

v0.31.7

v0.31.8

v0.31.9

v0.32.0

v0.33.0

v0.33.1

v0.33.2

v0.34.0

v0.34.1

v0.34.2

v0.34.3

v0.35.0

v0.35.1

v0.36.0

v0.37.0

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.38.0

v0.38.1

v0.39.0

v0.4.0

v0.40.0

v0.40.1

v0.40.2

v0.40.3

v0.40.4

v0.40.5

v0.5.0

v0.5.1

v0.5.10

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.11

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29049.json"