Description
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
Published: 2026-04-08
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Nix package manager’s sandboxed build process allows a builder to create a symlink that redirects output registration to an arbitrary writable file. The Nix daemon, which ordinarily runs as root in multi‑user installations, follows that link when moving the build result, thereby overwriting the target file. This results in arbitrary file modification and can elevate a non‑privileged user to full root control over the host system. The weakness maps to CWE‑61, the classic directory traversal and symlink injection issue that leads to untrusted file write.

Affected Systems

The vulnerability affects Linux installations of the Nix package manager, specifically sandboxed builds performed by the Nix daemon. Versions earlier than 2.34.5 (and the corresponding patches 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6) are susceptible. macOS sandboxed builds are not impacted.

Risk and Exploitability

The CVSS score is 9, indicating critical severity, and the exploitability score is not available. The vulnerability is not yet catalogued in CISA’s KEV list. An attacker only needs the ability to submit a derivation to the Nix daemon, which by default permits all users on a multi‑user system. This makes exploitation highly feasible and the potential impact total system compromise. Immediate remediation is strongly recommended.

Generated by OpenCVE AI on April 8, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nix to version 2.34.5 or later (or to the latest stable release available).
  • Verify that the Nix daemon is not allowing unrestricted build submissions; restrict allowed_users to a minimal set of trusted accounts if possible.

Generated by OpenCVE AI on April 8, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Nixos
Nixos nix
Vendors & Products Nixos
Nixos nix

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
Title Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Nixos Nix
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:42:36.997Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39860

cve-icon Vulnrichment

Updated: 2026-04-09T13:42:31.427Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:00.157

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:11Z

Weaknesses