CVE-2026-24843 is a path traversal vulnerability classified under CWE-22 found in the melange tool developed by chainguard-dev, which is used for building apk packages via declarative pipelines. Versions from 0.11.3 up to but not including 0.40.3 are affected. The vulnerability arises in the retrieveWorkspace function, which extracts files from a tar stream originating from a QEMU guest virtual machine. This function fails to validate that the extracted file paths remain confined within the intended workspace directory on the host. An attacker capable of influencing the tar stream can craft entries containing '../' sequences to traverse directories and write files outside the designated workspace. This can lead to unauthorized modification or overwriting of critical files on the host system, compromising system integrity and potentially causing denial of service. The vulnerability has a CVSS v3.1 score of 8.2, indicating high severity, with an attack vector limited to local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), impacting integrity and availability but not confidentiality. No known exploits are currently reported in the wild. The issue was publicly disclosed on February 4, 2026, and fixed in melange version 0.40.3.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of build environments that utilize melange versions prior to 0.40.3, especially those employing QEMU guest VMs. Successful exploitation could allow attackers to write arbitrary files on the host system outside the intended workspace, potentially leading to code execution, system compromise, or disruption of build pipelines. This could affect software supply chain security, undermining trust in produced packages. Organizations relying on melange for apk package creation in critical infrastructure, software development, or embedded systems could face operational disruptions and reputational damage. The requirement for local access to the QEMU guest VM somewhat limits the attack surface but does not eliminate risk, particularly in multi-tenant or shared environments common in European data centers. The vulnerability's ability to alter host files also raises concerns about compliance with European data protection and cybersecurity regulations, such as GDPR and NIS Directive, if exploitation leads to data integrity issues or service outages.

The primary mitigation is to upgrade melange to version 0.40.3 or later, where the path traversal vulnerability has been patched by properly validating tar entry paths to ensure they remain within the workspace directory. Until upgrading, organizations should implement strict controls on the tar streams accepted from QEMU guest VMs, including validating and sanitizing inputs to prevent malicious path sequences. Restricting access to QEMU guest VMs to trusted users only and monitoring for suspicious file extraction activities can reduce risk. Employing containerization or sandboxing for build processes can limit the impact of potential exploits. Additionally, auditing build pipelines and host filesystem permissions to minimize the potential damage from unauthorized file writes is recommended. Regularly reviewing and updating security policies around virtualization and build infrastructure will help prevent exploitation. Finally, integrating file integrity monitoring on host systems can detect unauthorized changes resulting from exploitation attempts.