CVE-2026-39860
Symlink Follow Vulnerability in Nix Allows Root Overwrite
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nixos | nix | From 2.18.2 (inc) to 2.18.9 (inc) |
| nixos | nix | From 2.19.4 (inc) to 2.19.7 (inc) |
| nixos | nix | From 2.20.5 (inc) to 2.20.9 (inc) |
| nixos | nix | From 2.21.0 (inc) to 2.28.6 (exc) |
| nixos | nix | From 2.29.0 (inc) to 2.29.3 (exc) |
| nixos | nix | From 2.30.0 (inc) to 2.30.4 (exc) |
| nixos | nix | From 2.31.0 (inc) to 2.31.4 (exc) |
| nixos | nix | From 2.32.0 (inc) to 2.32.7 (exc) |
| nixos | nix | From 2.33.0 (inc) to 2.33.4 (exc) |
| nixos | nix | From 2.34.0 (inc) to 2.34.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Nix package manager for Linux and Unix systems. A bug in the fix for a previous vulnerability (CVE-2024-27297) allows arbitrary overwrites of files that the Nix process can write to. This happens because the Nix process follows symbolic links during the registration of fixed-output derivation outputs, which can point to arbitrary locations in the filesystem.
Specifically, during sandboxed Linux builds, a symlink can be created by the derivation builder inside the build chroot pointing to any file on the system. When the Nix process (usually running as root in multi-user setups) registers the output, it follows this symlink and overwrites the target file with the build output. This flaw allows users who can submit builds to the Nix daemon to overwrite sensitive files and potentially gain root privileges.
Sandboxed macOS builds are not affected by this vulnerability. The issue is fixed in several Nix versions including 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if you use Nix in a multi-user Linux environment. Since the Nix daemon typically runs as root, an attacker who can submit builds can exploit this flaw to overwrite arbitrary files on the system.
The main impact is that attackers can gain root privileges by modifying sensitive system files, which compromises the entire system's security. This can lead to unauthorized access, data manipulation, and potentially full system takeover.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Nix package manager to one of the fixed versions: 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6.
Since the vulnerability allows arbitrary file overwrites by users able to submit builds to the Nix daemon, restricting build submission permissions to trusted users only can reduce risk until the update is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users who can submit builds to the Nix daemon to gain root privileges by modifying sensitive files. Such unauthorized privilege escalation and potential modification of sensitive files can lead to breaches of data confidentiality and integrity.
As a result, organizations using affected versions of Nix in multi-user installations may face increased risks of non-compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.