Privilege Escalation in Nix, Lix, and Guix Package Managers
CVE-2025-46416

2.9LOW

Key Information:

Vendor

Nixos

Status
Nix
Vendor
CVE Published:
27 June 2025

Badges

đź“° News Worthy

What is CVE-2025-46416?

The Nix, Lix, and Guix package managers exhibit a critical flaw that permits users to bypass build isolation mechanisms. This vulnerability allows unauthorized privilege escalation, enabling users to access the build user account, which could lead to potential exploitation. The affected versions span multiple releases across all three package managers, potentially allowing malicious actors to compromise the build environment.

Affected Version(s)

Nix 0 <= 2.24.15

Nix 2.25.0 <= 2.26.4

Nix 2.27.0 <= 2.28.4

News Articles

favicon imageNixOS Discourse

Security Advisory: Privilege Escalations in Nix, Lix and Guix - Announcements / Security - NixOS Discourse

Summary This advisory follows up on the pre-announcement made last week. Nix and Lix are affected by a set of issues that can be combined to achieve root privilege escalation. These issues are identified as: CVE-2025-&hellip;

References

https://discourse.nixos.org/t/security-advisory-privilege...
https://lix.systems/blog/2025-06-24-lix-cves/
https://guix.gnu.org/en/blog/2025/privilege-escalation-vu...

CVSS V3.1

Score:
2.9
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • đź“°

    First article discovered by NixOS Discourse

  • Vulnerability Reserved

.