CVE-2026-39860

April 8, 2026, 9:26 p.m.

9.0
Critical

Description

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.

Product(s) Impacted

Vendor Product Versions
Nixos
  • Nix
  • 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, 2.28.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-61
UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nixos nix 2.34.5 / / / / / / /
a nixos nix 2.33.4 / / / / / / /
a nixos nix 2.32.7 / / / / / / /
a nixos nix 2.31.4 / / / / / / /
a nixos nix 2.30.4 / / / / / / /
a nixos nix 2.29.3 / / / / / / /
a nixos nix 2.28.6 / / / / / / /

References

https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a
https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688
https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a
https://github.com/NixOS/nix/pull/10178
https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj

Tags

[email protected]
CWE-61
2026-04-08
CVE-2026-39860

CVSS Score

9.0 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

    View Vector String

Timeline

Published: April 8, 2026, 9:17 p.m.
Last Modified: April 8, 2026, 9:26 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.