Unbounded Recursion Vulnerability in Nix and Lix by NixOS
CVE-2026-44028
What is CVE-2026-44028?
CVE-2026-44028 represents a significant vulnerability found in the Nix and Lix software, both maintained by NixOS. This vulnerability is characterized by an unbounded recursion issue in the NAR (Nix Archive) parser, which can trigger a stack-to-heap overflow when the parser operates on a coroutine stack. The underlying problem lies in the fact that the stack is allocated without a guard page, leading to potential memory corruption on the heap. This type of overflow can pave the way for arbitrary code execution, particularly when the Nix daemon, typically running with root privileges in multi-user settings, is compromised. As this daemon's access controls are configurable, even users with minimal permissions could exploit this vulnerability, heightening its risk profile for organizations that utilize Nix in their environments.
Potential impact of CVE-2026-44028
-
Arbitrary Code Execution: The vulnerability allows for arbitrary code to be executed on systems where the Nix daemon is running, especially if security measures like Address Space Layout Randomization (ASLR) are bypassed. This can result in complete system compromise, enabling attackers to perform unauthorized actions.
-
Privilege Escalation: Given that the Nix daemon often runs with root privileges, exploitation of this vulnerability could allow malicious users to escalate their privileges, gaining control over critical parts of the system that would typically be protected.
-
Data Integrity Risks: With the ability to execute arbitrary code, attackers could manipulate, delete, or exfiltrate sensitive data stored on the system. This not only jeopardizes organizational operations but can also lead to severe data integrity issues and compliance violations.
Affected Version(s)
Lix 2.93.0 < 2.93.4
Lix 2.94.0 < 2.94.2
Lix 2.95.0 < 2.95.2
