Description
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
Published: 2026-05-05
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unbounded recursion in the Nix Archive (NAR) parser can cause a stack-to-heap overflow on a coroutine stack. The allocator creates the stack without a guard page, enabling a stack overflow to overwrite heap memory. If ASLR hardening is bypassed, an attacker that can invoke the parser on the root‑owned Nix daemon can achieve arbitrary code execution and elevate privileges to root.

Affected Systems

The vulnerability affects the Nix package manager before version 2.34.7 and the Lix operating system before version 2.95.2. Fixed releases include Nix 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7, and Lix 2.95.2, 2.94.2, and 2.93.4. In multi‑user installations, the Nix daemon runs as root and accepts connections from any user unless the allowed‑users setting is restricted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. Because the EPSS score is not available and the issue is not listed in CISA's KEV catalog, the current exploitation probability is unknown, but the existence of an unguarded stack and the ability to reach the daemon make the risk moderate to high. Exploitation requires a user that is permitted to communicate with the daemon and the ability to bypass ASLR, making the attack vector local to the affected host.

Generated by OpenCVE AI on May 5, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nix to at least 2.34.7 or Lix to at least 2.95.2.
  • Tighten the allowed‑users configuration for the Nix daemon to include only trusted accounts, or disable the daemon when it is not required.
  • As a temporary defensive measure, ensure that ASLR hardening is enabled and consider isolating the daemon process in a sandboxed environment; if upgrading is delayed, restrict network access to the daemon so that only local, trusted users can reach it.

Generated by OpenCVE AI on May 5, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Lix Project
Lix Project lix
Nixos
Nixos nix
Vendors & Products Lix Project
Lix Project lix
Nixos
Nixos nix

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Title Stack-to-Heap Overflow in Nix Archive Parser Allows Privilege Escalation and Arbitrary Code Execution

Tue, 05 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Lix Project Lix
Nixos Nix
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T00:37:42.535Z

Reserved: 2026-05-05T00:29:44.087Z

Link: CVE-2026-44028

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T01:16:06.983

Modified: 2026-05-05T01:16:06.983

Link: CVE-2026-44028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T04:00:11Z

Weaknesses