Arbitrary File Overwrite Vulnerability in Nix Package Manager
CVE-2026-39860

9CRITICAL

Key Information:

Vendor

Nixos

Status
Nix
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39860?

A flaw in the Nix package manager allows arbitrary file overwrites due to improper symlink handling in multi-user environments. When users submit builds to the Nix daemon, they can manipulate symlinks that point to sensitive files in the filesystem. This vulnerability enables unauthorized access and modification of files that could lead to escalated privileges, as the Nix process may inadvertently overwrite critical system files. This issue specifically affects sandboxed Linux builds and requires prompt attention to mitigate risks.

Affected Version(s)

nix >= 2.21, < 2.28.6 < 2.21, 2.28.6

nix >= 2.29.0, < 2.29.3 < 2.29.0, 2.29.3

nix >= 2.30.0, < 2.30.4 < 2.30.0, 2.30.4

References

https://github.com/NixOS/nix/security/advisories/GHSA-g3g...
x_refsource_CONFIRM
https://github.com/NixOS/nix/pull/10178
x_refsource_MISC
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b38...
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.