CVE-2026-29049 is a resource exhaustion vulnerability classified under CWE-400 and CWE-918 affecting chainguard-dev's melange tool, which is used for building apk packages via declarative pipelines. In versions 0.40.5 and earlier, the update-cache component downloads content from URIs specified in build configurations using the Go io.Copy function without enforcing any size limits or HTTP client timeouts. This lack of constraints allows an attacker who can supply a malicious URI in the build config to cause unbounded disk writes on the build runner system. The consequence is potential exhaustion of disk space, leading to denial of service by preventing further builds or causing system instability. The vulnerability does not affect confidentiality or integrity directly but impacts availability. Exploitation requires user interaction to initiate the build process with a malicious config but does not require authentication or elevated privileges. No public patch or fix is currently available, making mitigation reliant on operational controls. The vulnerability was published on March 6, 2026, with a CVSS v3.1 score of 4.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and impact limited to availability. This vulnerability highlights the risks of unbounded resource consumption in build automation tools and the importance of input validation and resource limiting in CI/CD environments.

The primary impact of CVE-2026-29049 is denial of service caused by disk space exhaustion on build runner systems using vulnerable versions of melange. This can disrupt continuous integration and deployment pipelines, delaying software delivery and potentially causing cascading operational issues. Organizations relying on automated apk package builds may experience build failures, increased operational costs due to system recovery efforts, and potential downtime of critical development infrastructure. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can affect development velocity and reliability. In environments where build runners are shared resources or part of larger cloud-based CI/CD platforms, the attack could affect multiple teams or projects simultaneously. The lack of a public patch increases the risk window, requiring organizations to implement compensating controls. Attackers with the ability to supply build configurations can exploit this vulnerability remotely, making it a concern for organizations with less restrictive build configuration management or external contributor workflows.

1. Implement strict validation and sanitization of all URIs used in melange build configurations to prevent attacker-controlled inputs. 2. Introduce operational limits on disk usage for build runners, such as quotas or monitoring alerts for abnormal disk consumption. 3. Use network-level controls to restrict outgoing HTTP requests from build runners to trusted sources only, preventing downloads from untrusted or malicious URIs. 4. Employ containerization or sandboxing of build environments to isolate and limit resource impact. 5. Monitor build logs and system metrics for unusual activity indicative of resource exhaustion attempts. 6. Temporarily disable or restrict use of the update-cache feature until a patch is available. 7. Engage with chainguard-dev for updates and patches, and plan for prompt application once released. 8. Educate developers and build pipeline maintainers about the risks of including untrusted URIs in build configurations. 9. Consider implementing HTTP client timeouts and size limits in custom wrappers or proxy layers if modifying melange source is not feasible. 10. Review and tighten access controls on who can submit or modify build configurations to reduce attack surface.