The vulnerability CVE-2026-29049 affects chainguard-dev's melange tool, specifically versions 0.40.5 and earlier. Melange is used to build APK packages through declarative pipelines. The issue lies in the update-cache component (pkg/renovate/cache/cache.go), where the function downloads data from URIs specified in build configurations using io.Copy without imposing any size restrictions or HTTP client timeouts. Because the URI is attacker-controlled, an adversary can craft a malicious build configuration that points to a resource that causes unbounded data downloads and disk writes. This leads to uncontrolled resource consumption, specifically disk space exhaustion on the build runner environment. The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-918 (Server-Side Request Forgery), indicating that the attacker can influence server-side requests to cause resource depletion. Exploitation does not require authentication but does require user interaction to supply a malicious build configuration. The CVSS v3.1 base score is 4.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction, and impacting availability only. No patches or fixes have been publicly released at the time of publication, and no known exploits have been observed in the wild. This vulnerability can disrupt build pipelines by causing denial of service due to disk exhaustion, potentially delaying software delivery and impacting development operations.

The primary impact of this vulnerability is denial of service through disk space exhaustion on build runner systems. Organizations relying on melange for automated APK package builds may experience build failures, pipeline interruptions, and degraded developer productivity. In environments with limited disk capacity or shared build infrastructure, this could lead to cascading failures affecting multiple projects or teams. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can delay software releases and increase operational costs. Attackers could exploit this flaw to disrupt continuous integration/continuous deployment (CI/CD) workflows, potentially impacting organizations that depend on rapid and reliable build processes. Since the vulnerability requires user interaction to supply malicious configurations, insider threats or compromised developer environments could increase risk. The lack of a public patch means organizations must rely on mitigations until an official fix is released.

To mitigate this vulnerability, organizations should implement strict validation and sanitization of build configurations to prevent untrusted or attacker-controlled URIs from being used in melange pipelines. Restricting who can submit or modify build configurations reduces risk. Network-level controls such as egress filtering and limiting outbound HTTP requests from build runners can prevent access to malicious URIs. Monitoring disk usage on build runners with alerting for abnormal growth can enable early detection of exploitation attempts. Employing container or VM resource quotas can limit the impact of resource exhaustion. If possible, temporarily disabling or isolating the update-cache functionality until a patch is available can reduce exposure. Organizations should track chainguard-dev announcements for patches and apply updates promptly once released. Additionally, consider implementing HTTP client timeouts and size limits in custom wrappers or proxy layers if modifying melange is feasible internally.