Cyber Posture

CVE-2026-25143

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25143 is a high-severity OS Command Injection (CWE-78) vulnerability in Chainguard Melange. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents command injection by requiring validation and sanitization of user-influenced inputs like series paths, patch filenames, and parameters before embedding them into shell scripts.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and patching of the specific flaw in Melange versions 0.10.0 to 0.40.2, eliminating the vulnerability as fixed in 0.40.3.

AC-6 Least Privilege partial match
prevent

AC-6 limits the scope and impact of arbitrary command execution by enforcing least privilege for the Melange build process on the host.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
Why these techniques?

Command injection into shell pipelines directly enables Unix shell execution (T1059.004); Melange is a development/build tool, so the vuln facilitates compromise of software supply chain and build tooling (T1195.001) via malicious inputs in CI/PR contexts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml…

more

embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3.

Deeper analysisAI

CVE-2026-25143 is a command injection vulnerability (CWE-78) in Melange, a tool for building APK packages using declarative pipelines. The issue affects versions 0.10.0 through 0.40.2, specifically in the built-in patch pipeline defined in pkg/build/pipelines/patch.yaml. This pipeline embeds user-influenced inputs—such as series paths, patch filenames, and numeric parameters—directly into shell scripts without proper quoting or validation, enabling shell metacharacters to escape their intended context.

An attacker who can control patch-related inputs, for example via pull request-driven CI, build-as-a-service systems, or by manipulating Melange configurations, can exploit the vulnerability during melange build or melange license-check operations. By injecting shell metacharacters like backticks, command substitutions ($(…)), semicolons, pipes, or redirections, they can execute arbitrary shell commands on the build host with the privileges of the Melange build process. The CVSS v3.1 base score of 7.8 reflects a local attack vector (AV:L) with low complexity (AC:L), no privileges required (PR:N), user interaction needed (UI:R), and unchanged scope, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

The vulnerability has been addressed in Melange version 0.40.3. Security practitioners should upgrade to this version or later. Additional details are available in the Chainguard security advisory at https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr and the patching commit at https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030.

Details

CWE(s)
CWE-78

Affected Products

chainguard
melange
0.10.0 — 0.40.5

CVEs Like This One

CVE-2026-24844Same product: Chainguard Melange
CVE-2026-24843Same product: Chainguard Melange
CVE-2026-25121Same vendor: Chainguard
CVE-2026-1460Shared CWE-78
CVE-2026-22227Shared CWE-78
CVE-2024-54018Shared CWE-78
CVE-2025-22606Shared CWE-78
CVE-2024-55590Shared CWE-78
CVE-2026-25140Same vendor: Chainguard
CVE-2024-57019Shared CWE-78

References