Arbitrary File Overwrite Vulnerability in Nix Package Manager
CVE-2026-39860
What is CVE-2026-39860?
CVE-2026-39860 is an arbitrary file overwrite vulnerability found in the Nix package manager, which is utilized for installing and managing software packages on Linux and other Unix-like operating systems. This vulnerability stems from a flaw in the mitigation of a previous issue (CVE-2024-27297), allowing malicious users to exploit the Nix process—typically running as the root user in multi-user setups—to overwrite files by following symlinks during the registration of fixed-output derivations. The affected process operates within a sandboxed environment, specifically in Linux builds, exposing critical security risks. By manipulating symlinks, attackers could overwrite sensitive files, which could lead to unauthorized privilege escalation. Organizations using Nix, especially those in multi-user configurations, could face serious security implications if this vulnerability is left unaddressed.
Potential impact of CVE-2026-39860
-
Unauthorized Privilege Escalation: Attackers with the ability to submit builds to the Nix daemon could potentially gain root privileges, allowing them to modify or access sensitive system files and configurations.
-
System Integrity Compromise: The ability to overwrite critical files may lead to the degradation of system integrity, where essential applications and services could malfunction due to altered or corrupted files, impacting operational continuity.
-
Increased Attack Surface: The vulnerability expands the attack surface for systems utilizing the Nix package manager, increasing their susceptibility to future exploits or ransomware attacks, particularly as malicious actors may target systems with known vulnerabilities.
Affected Version(s)
nix >= 2.21, < 2.28.6 < 2.21, 2.28.6
nix >= 2.29.0, < 2.29.3 < 2.29.0, 2.29.3
nix >= 2.30.0, < 2.30.4 < 2.30.0, 2.30.4