SCA: security update for chainguard.dev/melange (GHSA-q2pw-xx38-p64j)

low Tenable Cloud Security Plugin ID 440784

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and
prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange
build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and
`pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these
values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a
melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause
melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the
melange process. The written file is a JSON lint report whose content is partially attacker-influenced.
There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem.
The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by
default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and
`filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a
workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents
are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated
directory also limits impact. (CVE-2026-29051)

Solution

Update the chainguard.dev/melange library and its related packages to version 0.43.4 or later.

See Also

https://github.com/advisories/GHSA-q2pw-xx38-p64j

Plugin Details

Severity: Low

ID: 440784

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 4/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-29051

CVSS v3

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.9

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/23/2026

Vulnerability Publication Date: 4/23/2026

Reference Information

CVE: CVE-2026-29051

cwe: CWE-22