CVE-2025-46416
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-06-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-282 | The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-46416 is a privilege escalation vulnerability affecting the Nix, Lix, and Guix package managers. It allows a user to bypass build isolation and elevate their privileges to the build user account (such as nixbld or guixbuild). This is achieved by exploiting flaws that let an attacker exfiltrate setuid programs or execute arbitrary code as the build user outside the sandbox environment. The vulnerability arises from weaknesses in interprocess communication and namespace isolation, particularly involving abstract Unix-domain sockets and race conditions in file operations. Exploiting this can lead to unauthorized privilege escalation during package builds. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow a local user who can start package builds to escalate their privileges to the build user account, which has elevated permissions compared to a normal user. In some cases, if the daemon runs as root, this can lead to arbitrary file writes to critical system files (e.g., /etc/passwd) and potentially full root privilege escalation. Even if the daemon does not run as root, the attacker can gain guix-daemon user privileges, allowing unauthorized write access to the package store. This compromises system security by breaking sandbox isolation and enabling unauthorized code execution and file manipulation. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
For detecting the vulnerability in guix-daemon related to CVE-2025-46416, a test script named abstract-socket-vuln-check.scm is provided. This script attempts to connect to an abstract Unix-domain socket outside the build environment. If the system is vulnerable, the script outputs "Abstract unix socket hole is OPEN, guix-daemon is VULNERABLE," otherwise it outputs "Abstract unix socket hole is CLOSED." Users can run this script to check for the presence of the vulnerability. Specific commands to run this script are not detailed, but it is implied to be run within the Guix environment. No direct network commands are provided for Nix or Lix detection. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to the fixed versions or commits that address the vulnerability. For Guix, users should upgrade to commit 30a5d140aa or later, which includes fixes that close the abstract Unix-domain socket hole and improve file operation safety. For Guix System, this involves running `guix pull` followed by system reconfiguration and restarting the guix-daemon or rebooting. For Guix on other distributions, running `sudo guix pull` and restarting the guix-daemon service (e.g., via systemd) is required. For Nix and Lix, upgrading to fixed versions is recommended, and partial mitigations include restricting which users can invoke `nix-build` via configuration options like `allowed-users` or `trusted-users`, or running the Nix daemon without root privileges. These mitigations are partial and complex, so upgrading is strongly advised. [2, 3]