Melange, Path Traversal in QEMU Runner (Critical)

Listen to this Post

The vulnerability resides in the `retrieveWorkspace` function of the melange build system’s QEMU runner. When building packages in a virtualized environment, melange uses QEMU to run a guest VM. After execution, the guest’s workspace is sent to the host as a tar archive via a virtualized serial device. The `retrieveWorkspace` function on the host extracts this incoming tar stream. The function fails to properly sanitize file paths within the archive before extraction. An attacker with control over the guest VM, or who can maliciously influence the data sent over this channel, can craft a tar entry containing path traversal sequences (e.g., ../../etc/passwd). During extraction on the host, these sequences are not normalized or confined to the intended workspace directory, leading to arbitrary file write anywhere the host process has permissions.
Platform: melange
Version: Pre-6e243d0d
Vulnerability: Path Traversal
Severity: Critical
Date: 2026-02-03

Prediction: Patched 2026-02-03

What Undercode Say:

Checking for the vulnerable function pattern
grep -n "retrieveWorkspace" pkg/runner/qemu.go
Simulating malicious tar creation
tar cvf payload.tar ../../../../tmp/exploit

How Exploit:

1. Compromise build guest.

2. Craft tar with `../` paths.

3. Send to host via serial.

Protection from this CVE:

Update to commit `6e243d0d` or later. Implement path sanitization before file extraction.

Impact:

Host system arbitrary file write. Potential full host compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top