{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2024-27297"},{"cvss":9,"id":"CVE-2026-39860"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nix","privilege-escalation","linux","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in the Nix package manager for Linux systems, stemming from an incomplete fix for CVE-2024-27297. The flaw, identified as CVE-2026-39860, allows for arbitrary file overwrites due to improper handling of symlinks during the registration of fixed-output derivation outputs. This occurs when a derivation builder creates a symlink within the build chroot pointing to an arbitrary location in the filesystem. Subsequently, the Nix process, operating in the host mount namespace, follows this symlink and overwrites the destination with the derivation\u0026rsquo;s output. This issue primarily affects sandboxed Linux builds, while macOS builds remain unaffected. The vulnerability poses a significant risk in multi-user Nix installations where any user with build submission privileges (i.e., those allowed by \u0026lsquo;allowed-users\u0026rsquo;) can exploit this flaw to gain root privileges by modifying sensitive system files. The vulnerability has been patched in Nix versions 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious user, with privileges to submit builds to the Nix daemon, crafts a Nix derivation designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious derivation includes instructions to create a symlink within the build chroot. This symlink points to a sensitive system file outside of the chroot environment, such as \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Nix daemon initiates the build process within a sandboxed environment. The derivation builder creates the specified symlink during the build.\u003c/li\u003e\n\u003cli\u003eDuring the fixed-output derivation output registration phase, the Nix process attempts to copy the output from the temporary output location to the Nix store.\u003c/li\u003e\n\u003cli\u003eThe Nix process encounters the malicious symlink. Due to insufficient validation, it follows the symlink to the target file in the root filesystem.\u003c/li\u003e\n\u003cli\u003eThe Nix process overwrites the contents of the target file with the derivation\u0026rsquo;s output, effectively modifying the sensitive system file.\u003c/li\u003e\n\u003cli\u003eBy overwriting a file like \u003ccode\u003e/etc/shadow\u003c/code\u003e, the attacker can manipulate user account information, including password hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges by logging in as a modified or newly created user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability in multi-user Nix installations allows any user capable of submitting builds to the Nix daemon to achieve root privilege escalation. This could lead to complete system compromise, including data theft, modification, or destruction. The severity is critical because it bypasses standard security measures and directly impacts system integrity. The number of potentially affected systems is broad, encompassing any Linux system utilizing a vulnerable version of Nix in a multi-user configuration, which is a common setup.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Nix to version 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6 to patch CVE-2026-39860.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious activity related to \u003ccode\u003enix-daemon\u003c/code\u003e and file modifications in sensitive directories such as \u003ccode\u003e/etc/passwd\u003c/code\u003e and \u003ccode\u003e/etc/shadow\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on sensitive system files to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly audit and restrict the \u003ccode\u003eallowed-users\u003c/code\u003e configuration of the Nix daemon to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-nix-privesc/","summary":"A flaw in Nix package manager allows arbitrary file overwrites via symlink following during fixed-output derivation registration, potentially leading to root privilege escalation on multi-user Linux systems.","title":"Nix Package Manager Arbitrary File Overwrite Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nix-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Nix","version":"https://jsonfeed.org/version/1.1"}