CVE-2026-24843: melange QEMU runner could write files outside workspace directory

February 3, 2026

An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences.

References

github.com/advisories/GHSA-qxx2-7h4c-83f4
github.com/chainguard-dev/melange
github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b
github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4
nvd.nist.gov/vuln/detail/CVE-2026-24843

Code Behaviors & Features

Detect and mitigate CVE-2026-24843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →