Vulnerability Details CVE-2026-29051
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.1%
CVSS Severity
CVSS v3 Score 4.4
References
Products affected by CVE-2026-29051
-
cpe:2.3:a:chainguard:melange:0.32.0
-
cpe:2.3:a:chainguard:melange:0.33.0
-
cpe:2.3:a:chainguard:melange:0.33.1
-
cpe:2.3:a:chainguard:melange:0.33.2
-
cpe:2.3:a:chainguard:melange:0.34.0
-
cpe:2.3:a:chainguard:melange:0.34.1
-
cpe:2.3:a:chainguard:melange:0.34.2
-
cpe:2.3:a:chainguard:melange:0.34.3
-
cpe:2.3:a:chainguard:melange:0.35.0
-
cpe:2.3:a:chainguard:melange:0.35.1
-
cpe:2.3:a:chainguard:melange:0.36.0
-
cpe:2.3:a:chainguard:melange:0.37.0
-
cpe:2.3:a:chainguard:melange:0.37.1
-
cpe:2.3:a:chainguard:melange:0.37.2
-
cpe:2.3:a:chainguard:melange:0.37.3
-
cpe:2.3:a:chainguard:melange:0.37.4
-
cpe:2.3:a:chainguard:melange:0.37.5
-
cpe:2.3:a:chainguard:melange:0.38.0
-
cpe:2.3:a:chainguard:melange:0.38.1
-
cpe:2.3:a:chainguard:melange:0.39.0
-
cpe:2.3:a:chainguard:melange:0.40.0
-
cpe:2.3:a:chainguard:melange:0.40.1
-
cpe:2.3:a:chainguard:melange:0.40.2
-
cpe:2.3:a:chainguard:melange:0.40.3
-
cpe:2.3:a:chainguard:melange:0.40.4
-
cpe:2.3:a:chainguard:melange:0.40.5
-
cpe:2.3:a:chainguard:melange:0.41.0
-
cpe:2.3:a:chainguard:melange:0.41.1
-
cpe:2.3:a:chainguard:melange:0.42.0
-
cpe:2.3:a:chainguard:melange:0.43.0
-
cpe:2.3:a:chainguard:melange:0.43.1
-
cpe:2.3:a:chainguard:melange:0.43.2
-
cpe:2.3:a:chainguard:melange:0.43.3