Critical Privilege Escalation Vulnerability Discovered in Nix Package Manager
Key Takeaways
- ▸Critical privilege escalation vulnerability (CVE-2026-39860) affects Nix versions 2.21-2.34.4, allowing root-level file writes
- ▸All users with build submission permissions to the Nix daemon are capable of exploiting this vulnerability by default
- ▸Patched versions are now available across multiple release branches; immediate updates are strongly recommended
Summary
A critical privilege escalation vulnerability has been discovered in the Nix package manager, affecting versions 2.21 and later through 2.34.4. The vulnerability, identified as CVE-2026-39860 (GHSA-g3g9-5vj6-r3gj), allows any user permitted to submit builds to the Nix daemon to achieve arbitrary file writes as root and subsequent privilege escalation through symlink following during Fixed-Output Derivation (FOD) output registration. This impacts all default configurations of NixOS and systems building untrusted derivations on sandboxed Linux configurations.
The Nix team has released patched versions (2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6) that address the issue. Notably, Lix users are unaffected by this vulnerability. The vulnerability was introduced as part of prior fixes for CVE-2024-27297, and patches for versions 2.31 through 2.34 include additional mitigations to prevent cooperating fixed-output derivations from communicating and passing file descriptors between distinct sandboxes.
- Lix, an alternative Nix implementation, is unaffected by this vulnerability
- The issue stems from symlink following during FOD output registration and impacts default NixOS configurations
