Unbounded Recursion Vulnerability in Nix and Lix by NixOS
CVE-2026-44028

7.5HIGH

Key Information:

Vendor: Nixos
Status: Nix; Lix
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-44028?

A severe issue has been detected in Nix before version 2.34.7 and Lix before version 2.95.2, where unbounded recursion in the NAR parser can cause a stack-to-heap overflow when executed on a coroutine stack. This condition occurs due to the absence of a guard page, potentially allowing memory on the heap to be overwritten, leading to arbitrary code execution by the Nix daemon, especially if Address Space Layout Randomization (ASLR) protections are circumvented. All users who can connect to the daemon, such as those configured through the allowed-users setting (defaulting to all users), are at risk. The vulnerability has been addressed in fixed releases: Nix 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, 2.28.7, and Lix 2.95.2, 2.94.2, 2.93.4.

Affected Version(s)

Lix 2.93.0 < 2.93.4

Lix 2.94.0 < 2.94.2

Lix 2.95.0 < 2.95.2

References

https://discourse.nixos.org/t/security-advisory-local-pri...

https://github.com/NixOS/nix/security/advisories/GHSA-vh5...

https://www.openwall.com/lists/oss-security/2026/05/04/33

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44028 Data

JSON

Nixos

What is CVE-2026-44028?

Affected Version(s)

References

CVSS V3.1

Timeline