How to fix CVE-2026-24843?

Within 24 hours: Identify all systems running affected melange versions (0.11.3 to 0.40.2) and isolate build pipelines from untrusted inputs. Within 7 days: Upgrade melange to version 0.40.3 or later across all build infrastructure. Within 30 days: Conduct security audit of all packages built with vulnerable versions, validate build artifact integrity, and implement network segmentation to restrict QEMU guest VM access.

Is Melange affected by CVE-2026-24843?

CVE-2026-24843 affects melange, a container package build tool, allowing attackers to write files outside intended directories if they can compromise the QEMU build environment.

CVE-2026-24843

HIGH

2026-02-04 [email protected]

GHSA-qxx2-7h4c-83f4

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Feb 18, 2026 - 15:57 nvd

Patch available

CVE Published

Feb 04, 2026 - 20:16 nvd

HIGH 8.2

Description

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.

Analysis

Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. …

Remediation

Within 24 hours: Identify all systems running affected melange versions (0.11.3 to 0.40.2) and isolate build pipelines from untrusted inputs. Within 7 days: Upgrade melange to version 0.40.3 or later across all build infrastructure. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

Vendor Status

CVE-2026-24843 vulnerability details – vuln.today

Back

CVE-2026-24843

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-24843

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code