Vulnerability Details CVE-2026-24843
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.3%
CVSS Severity
CVSS v3 Score 8.2
References
Products affected by CVE-2026-24843
-
cpe:2.3:a:chainguard:melange:0.11.3
-
cpe:2.3:a:chainguard:melange:0.11.4
-
cpe:2.3:a:chainguard:melange:0.11.5
-
cpe:2.3:a:chainguard:melange:0.11.6
-
cpe:2.3:a:chainguard:melange:0.12.0
-
cpe:2.3:a:chainguard:melange:0.12.1
-
cpe:2.3:a:chainguard:melange:0.13.0
-
cpe:2.3:a:chainguard:melange:0.13.1
-
cpe:2.3:a:chainguard:melange:0.13.2
-
cpe:2.3:a:chainguard:melange:0.13.3
-
cpe:2.3:a:chainguard:melange:0.13.4
-
cpe:2.3:a:chainguard:melange:0.13.5
-
cpe:2.3:a:chainguard:melange:0.13.6
-
cpe:2.3:a:chainguard:melange:0.13.7
-
cpe:2.3:a:chainguard:melange:0.14.0
-
cpe:2.3:a:chainguard:melange:0.14.1
-
cpe:2.3:a:chainguard:melange:0.14.10
-
cpe:2.3:a:chainguard:melange:0.14.11
-
cpe:2.3:a:chainguard:melange:0.14.2
-
cpe:2.3:a:chainguard:melange:0.14.3
-
cpe:2.3:a:chainguard:melange:0.14.4
-
cpe:2.3:a:chainguard:melange:0.14.5
-
cpe:2.3:a:chainguard:melange:0.14.6
-
cpe:2.3:a:chainguard:melange:0.14.7
-
cpe:2.3:a:chainguard:melange:0.14.8
-
cpe:2.3:a:chainguard:melange:0.14.9
-
cpe:2.3:a:chainguard:melange:0.15.0
-
cpe:2.3:a:chainguard:melange:0.15.1
-
cpe:2.3:a:chainguard:melange:0.15.10
-
cpe:2.3:a:chainguard:melange:0.15.11
-
cpe:2.3:a:chainguard:melange:0.15.12
-
cpe:2.3:a:chainguard:melange:0.15.13
-
cpe:2.3:a:chainguard:melange:0.15.14
-
cpe:2.3:a:chainguard:melange:0.15.2
-
cpe:2.3:a:chainguard:melange:0.15.3
-
cpe:2.3:a:chainguard:melange:0.15.4
-
cpe:2.3:a:chainguard:melange:0.15.5
-
cpe:2.3:a:chainguard:melange:0.15.6
-
cpe:2.3:a:chainguard:melange:0.15.7
-
cpe:2.3:a:chainguard:melange:0.15.8
-
cpe:2.3:a:chainguard:melange:0.15.9
-
cpe:2.3:a:chainguard:melange:0.16.0
-
cpe:2.3:a:chainguard:melange:0.17.0
-
cpe:2.3:a:chainguard:melange:0.17.1
-
cpe:2.3:a:chainguard:melange:0.17.2
-
cpe:2.3:a:chainguard:melange:0.17.3
-
cpe:2.3:a:chainguard:melange:0.17.4
-
cpe:2.3:a:chainguard:melange:0.17.5
-
cpe:2.3:a:chainguard:melange:0.17.6
-
cpe:2.3:a:chainguard:melange:0.17.7
-
cpe:2.3:a:chainguard:melange:0.18.0
-
cpe:2.3:a:chainguard:melange:0.18.1
-
cpe:2.3:a:chainguard:melange:0.18.2
-
cpe:2.3:a:chainguard:melange:0.18.3
-
cpe:2.3:a:chainguard:melange:0.19.0
-
cpe:2.3:a:chainguard:melange:0.19.1
-
cpe:2.3:a:chainguard:melange:0.19.2
-
cpe:2.3:a:chainguard:melange:0.19.3
-
cpe:2.3:a:chainguard:melange:0.19.4
-
cpe:2.3:a:chainguard:melange:0.19.5
-
cpe:2.3:a:chainguard:melange:0.20.0
-
cpe:2.3:a:chainguard:melange:0.20.1
-
cpe:2.3:a:chainguard:melange:0.21.0
-
cpe:2.3:a:chainguard:melange:0.21.1
-
cpe:2.3:a:chainguard:melange:0.21.2
-
cpe:2.3:a:chainguard:melange:0.22.0
-
cpe:2.3:a:chainguard:melange:0.22.1
-
cpe:2.3:a:chainguard:melange:0.22.2
-
cpe:2.3:a:chainguard:melange:0.23.0
-
cpe:2.3:a:chainguard:melange:0.23.1
-
cpe:2.3:a:chainguard:melange:0.23.10
-
cpe:2.3:a:chainguard:melange:0.23.11
-
cpe:2.3:a:chainguard:melange:0.23.12
-
cpe:2.3:a:chainguard:melange:0.23.13
-
cpe:2.3:a:chainguard:melange:0.23.14
-
cpe:2.3:a:chainguard:melange:0.23.15
-
cpe:2.3:a:chainguard:melange:0.23.16
-
cpe:2.3:a:chainguard:melange:0.23.17
-
cpe:2.3:a:chainguard:melange:0.23.2
-
cpe:2.3:a:chainguard:melange:0.23.3
-
cpe:2.3:a:chainguard:melange:0.23.4
-
cpe:2.3:a:chainguard:melange:0.23.5
-
cpe:2.3:a:chainguard:melange:0.23.6
-
cpe:2.3:a:chainguard:melange:0.23.7
-
cpe:2.3:a:chainguard:melange:0.23.8
-
cpe:2.3:a:chainguard:melange:0.23.9
-
cpe:2.3:a:chainguard:melange:0.24.0
-
cpe:2.3:a:chainguard:melange:0.25.0
-
cpe:2.3:a:chainguard:melange:0.25.1
-
cpe:2.3:a:chainguard:melange:0.26.0
-
cpe:2.3:a:chainguard:melange:0.26.1
-
cpe:2.3:a:chainguard:melange:0.26.10
-
cpe:2.3:a:chainguard:melange:0.26.11
-
cpe:2.3:a:chainguard:melange:0.26.12
-
cpe:2.3:a:chainguard:melange:0.26.13
-
cpe:2.3:a:chainguard:melange:0.26.2
-
cpe:2.3:a:chainguard:melange:0.26.3
-
cpe:2.3:a:chainguard:melange:0.26.4
-
cpe:2.3:a:chainguard:melange:0.26.5
-
cpe:2.3:a:chainguard:melange:0.26.6
-
cpe:2.3:a:chainguard:melange:0.26.7
-
cpe:2.3:a:chainguard:melange:0.26.8
-
cpe:2.3:a:chainguard:melange:0.26.9
-
cpe:2.3:a:chainguard:melange:0.27.0
-
cpe:2.3:a:chainguard:melange:0.28.0
-
cpe:2.3:a:chainguard:melange:0.29.0
-
cpe:2.3:a:chainguard:melange:0.29.1
-
cpe:2.3:a:chainguard:melange:0.29.2
-
cpe:2.3:a:chainguard:melange:0.29.3
-
cpe:2.3:a:chainguard:melange:0.29.4
-
cpe:2.3:a:chainguard:melange:0.29.5
-
cpe:2.3:a:chainguard:melange:0.29.6
-
cpe:2.3:a:chainguard:melange:0.29.7
-
cpe:2.3:a:chainguard:melange:0.30.0
-
cpe:2.3:a:chainguard:melange:0.30.1
-
cpe:2.3:a:chainguard:melange:0.30.2
-
cpe:2.3:a:chainguard:melange:0.30.3
-
cpe:2.3:a:chainguard:melange:0.30.4
-
cpe:2.3:a:chainguard:melange:0.30.5
-
cpe:2.3:a:chainguard:melange:0.30.6
-
cpe:2.3:a:chainguard:melange:0.31.0
-
cpe:2.3:a:chainguard:melange:0.31.1
-
cpe:2.3:a:chainguard:melange:0.31.2
-
cpe:2.3:a:chainguard:melange:0.31.3
-
cpe:2.3:a:chainguard:melange:0.31.4
-
cpe:2.3:a:chainguard:melange:0.31.5
-
cpe:2.3:a:chainguard:melange:0.31.6
-
cpe:2.3:a:chainguard:melange:0.31.7
-
cpe:2.3:a:chainguard:melange:0.31.8
-
cpe:2.3:a:chainguard:melange:0.31.9
-
cpe:2.3:a:chainguard:melange:0.32.0
-
cpe:2.3:a:chainguard:melange:0.33.0
-
cpe:2.3:a:chainguard:melange:0.33.1
-
cpe:2.3:a:chainguard:melange:0.33.2
-
cpe:2.3:a:chainguard:melange:0.34.0
-
cpe:2.3:a:chainguard:melange:0.34.1
-
cpe:2.3:a:chainguard:melange:0.34.2
-
cpe:2.3:a:chainguard:melange:0.34.3
-
cpe:2.3:a:chainguard:melange:0.35.0
-
cpe:2.3:a:chainguard:melange:0.35.1
-
cpe:2.3:a:chainguard:melange:0.36.0
-
cpe:2.3:a:chainguard:melange:0.37.0
-
cpe:2.3:a:chainguard:melange:0.37.1
-
cpe:2.3:a:chainguard:melange:0.37.2
-
cpe:2.3:a:chainguard:melange:0.37.3
-
cpe:2.3:a:chainguard:melange:0.37.4
-
cpe:2.3:a:chainguard:melange:0.37.5
-
cpe:2.3:a:chainguard:melange:0.38.0
-
cpe:2.3:a:chainguard:melange:0.38.1
-
cpe:2.3:a:chainguard:melange:0.39.0
-
cpe:2.3:a:chainguard:melange:0.40.0
-
cpe:2.3:a:chainguard:melange:0.40.1
-
cpe:2.3:a:chainguard:melange:0.40.2
-
cpe:2.3:a:chainguard:melange:0.40.3
-
cpe:2.3:a:chainguard:melange:0.40.4