Plattform
go
Komponente
chainguard.dev/melange
Behoben in
0.11.4
0.40.3
CVE-2026-24843 describes a file write vulnerability within Chainguard Melange, a QEMU runner. An attacker can leverage this flaw to write files outside the designated workspace directory, potentially leading to arbitrary code execution. This vulnerability impacts versions of Melange prior to 0.40.3 and a fix has been released.
The core of this vulnerability lies in Melange's QEMU runner's file handling logic. An attacker, by crafting malicious inputs, can bypass workspace directory restrictions and write files to arbitrary locations on the host system. This could involve overwriting critical system files, injecting malicious scripts, or deploying malware. The potential impact extends beyond simple data corruption; successful exploitation could grant an attacker complete control over the affected system, enabling data theft, privilege escalation, and lateral movement within the network. The blast radius depends on the system's permissions and network connectivity.
CVE-2026-24843 was publicly disclosed on 2026-02-05. Its inclusion in the CISA KEV catalog is pending. No public proof-of-concept (POC) exploits have been released as of this writing, but the vulnerability's nature suggests a relatively high likelihood of exploitation given sufficient attacker motivation and skill. The vulnerability is tracked by the NVD.
Organizations utilizing Chainguard Melange for container image building or other QEMU-based workflows are at risk. This includes DevOps teams, CI/CD pipelines, and environments where Melange is integrated into automated build processes. Specifically, those relying on older versions of Melange (prior to 0.40.3) are vulnerable.
• go / supply-chain: Inspect Melange's source code for file path manipulation functions. Look for instances where user-supplied input is directly used to construct file paths without proper sanitization.
// Example: Check for direct path concatenation
if strings.Contains(filepath.Clean(userInput), "../") {
// Potential vulnerability
}• generic web: Monitor access logs for unusual file creation attempts outside the expected workspace directory. Look for patterns indicative of path traversal attacks.
# Example: grep for path traversal attempts in access logs
grep "../" /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade Chainguard Melange to version 0.40.3 or later. This version contains the necessary fix to prevent unauthorized file writes. If upgrading is not immediately feasible, consider implementing stricter workspace directory permissions to limit the potential impact of a successful exploit. Additionally, monitor file system activity for unexpected writes outside the intended workspace. While a WAF is unlikely to directly address this, reviewing and hardening QEMU configurations can reduce the attack surface. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual file creation events is recommended.
Actualice melange a la versión 0.40.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la escritura de archivos fuera del directorio de trabajo. La actualización evitará que atacantes influyan en el flujo de datos de la máquina virtual QEMU y comprometan el sistema host.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24843 is a HIGH severity vulnerability in Chainguard Melange that allows attackers to write files outside the designated workspace, potentially leading to system compromise. It affects versions before 0.40.3.
You are affected if you are using Chainguard Melange versions prior to 0.40.3. Check your installed version and upgrade immediately if vulnerable.
Upgrade Chainguard Melange to version 0.40.3 or later. If immediate upgrade is not possible, implement stricter workspace directory permissions and input validation.
There is currently no evidence of active exploitation in the wild, but vigilance is advised due to the vulnerability's severity.
Refer to the Chainguard security advisories page for the latest information and official announcements regarding CVE-2026-24843.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.