CVE-2026-39860 (GCVE-0-2026-39860)
Vulnerability from cvelistv5
Published
2026-04-08 20:58
Modified
2026-04-09 13:42
Severity ?
9.0 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE
  • CWE-61 - UNIX Symbolic Link (Symlink) Following
Summary
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
References
Impacted products
Vendor Product Version
NixOS nix Version: >= 2.21, < 2.28.6
Version: >= 2.29.0, < 2.29.3
Version: >= 2.30.0, < 2.30.4
Version: >= 2.31.0, < 2.31.4
Version: >= 2.32.0, < 2.32.7
Version: >= 2.33.0, < 2.33.4
Version: >= 2.34.0, < 2.34.5
Version: >= 2.20.5, <= 2.20.9
Version: >= 2.19.4, <= 2.19.7
Version: >= 2.18.2, <= 2.18.9
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T13:42:26.389636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T13:42:36.997Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nix",
          "vendor": "NixOS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.21, \u003c 2.28.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.29.0, \u003c 2.29.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.30.0, \u003c 2.30.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.31.0, \u003c 2.31.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.32.0, \u003c 2.32.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.33.0, \u003c 2.33.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.34.0, \u003c 2.34.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.20.5, \u003c= 2.20.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.19.4, \u003c= 2.19.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.18.2, \u003c= 2.18.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation\u0027s output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T20:58:22.979Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj"
        },
        {
          "name": "https://github.com/NixOS/nix/pull/10178",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nix/pull/10178"
        },
        {
          "name": "https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9"
        },
        {
          "name": "https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a"
        },
        {
          "name": "https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688"
        },
        {
          "name": "https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a"
        }
      ],
      "source": {
        "advisory": "GHSA-g3g9-5vj6-r3gj",
        "discovery": "UNKNOWN"
      },
      "title": "Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39860",
    "datePublished": "2026-04-08T20:58:22.979Z",
    "dateReserved": "2026-04-07T19:13:20.379Z",
    "dateUpdated": "2026-04-09T13:42:36.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39860\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-09T13:42:26.389636Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-09T13:42:31.427Z\"}}], \"cna\": {\"title\": \"Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination\", \"source\": {\"advisory\": \"GHSA-g3g9-5vj6-r3gj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"NixOS\", \"product\": \"nix\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.21, \u003c 2.28.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.29.0, \u003c 2.29.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.30.0, \u003c 2.30.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.31.0, \u003c 2.31.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.32.0, \u003c 2.32.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.33.0, \u003c 2.33.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.34.0, \u003c 2.34.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.20.5, \u003c= 2.20.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.19.4, \u003c= 2.19.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.18.2, \u003c= 2.18.9\"}]}], \"references\": [{\"url\": \"https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj\", \"name\": \"https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NixOS/nix/pull/10178\", \"name\": \"https://github.com/NixOS/nix/pull/10178\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9\", \"name\": \"https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a\", \"name\": \"https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688\", \"name\": \"https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a\", \"name\": \"https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation\u0027s output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T20:58:22.979Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39860\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-09T13:42:36.997Z\", \"dateReserved\": \"2026-04-07T19:13:20.379Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T20:58:22.979Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.