Platform
go
Component
chainguard.dev/melange
Fixed in
0.11.4
0.40.3
CVE-2026-24843 describes a file write vulnerability within Chainguard Melange, a QEMU runner. An attacker can leverage this flaw to write files outside the intended workspace directory, potentially leading to arbitrary code execution. This vulnerability impacts versions of Melange before 0.40.3 and has been assigned a CVSS score of 8.2 (HIGH). A fix is available in version 0.40.3.
The core of this vulnerability lies in Melange's QEMU runner's file handling logic. Specifically, it fails to adequately restrict where files can be written during certain operations. An attacker who can control the input to the QEMU runner can craft malicious data that causes it to write files to locations outside the designated workspace. This could include overwriting critical system files, injecting malicious scripts, or creating backdoor accounts. The potential impact is significant, ranging from complete system compromise to data exfiltration, depending on the attacker's capabilities and the privileges of the user running Melange. Successful exploitation could allow an attacker to gain persistent access to the system.
CVE-2026-24843 was publicly disclosed on 2026-02-05. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code is available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of near-term exploitation, but vigilance is still advised.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24843 is to upgrade Chainguard Melange to version 0.40.3 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing stricter workspace directory permissions to limit the potential damage from unauthorized file writes. Review and restrict the input data provided to the QEMU runner to prevent malicious payloads. Implement robust input validation and sanitization to ensure that only expected file names and paths are processed. After upgrading, verify the fix by attempting to write a file outside the designated workspace directory and confirming that the operation is denied.
Actualice melange a la versión 0.40.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal que permite la escritura de archivos fuera del directorio de trabajo. La actualización evitará que atacantes influyan en el flujo de datos de la máquina virtual QEMU y comprometan el sistema host.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24843 is a HIGH severity vulnerability in Chainguard Melange that allows attackers to write files outside the designated workspace, potentially leading to system compromise. It affects versions before 0.40.3.
You are affected if you are using Chainguard Melange versions prior to 0.40.3. Check your installed version and upgrade immediately if vulnerable.
Upgrade Chainguard Melange to version 0.40.3 or later. If immediate upgrade is not possible, implement stricter workspace directory permissions and input validation.
There is currently no evidence of active exploitation in the wild, but vigilance is advised due to the vulnerability's severity.
Refer to the Chainguard security advisories page for the latest information and official announcements regarding CVE-2026-24843.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.