CVE-2026-39860
Awaiting Analysis Awaiting Analysis - Queue
Symlink Follow Vulnerability in Nix Allows Root Overwrite

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39860
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
nixos nix From 2.18.2 (inc) to 2.18.9 (inc)
nixos nix From 2.19.4 (inc) to 2.19.7 (inc)
nixos nix From 2.20.5 (inc) to 2.20.9 (inc)
nixos nix From 2.21.0 (inc) to 2.28.6 (exc)
nixos nix From 2.29.0 (inc) to 2.29.3 (exc)
nixos nix From 2.30.0 (inc) to 2.30.4 (exc)
nixos nix From 2.31.0 (inc) to 2.31.4 (exc)
nixos nix From 2.32.0 (inc) to 2.32.7 (exc)
nixos nix From 2.33.0 (inc) to 2.33.4 (exc)
nixos nix From 2.34.0 (inc) to 2.34.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows users who can submit builds to the Nix daemon to gain root privileges by modifying sensitive files. Such unauthorized privilege escalation and potential modification of sensitive files can lead to breaches of data confidentiality and integrity.

As a result, organizations using affected versions of Nix in multi-user installations may face increased risks of non-compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

Executive Summary

This vulnerability exists in the Nix package manager for Linux and Unix systems. A bug in the fix for a previous vulnerability (CVE-2024-27297) allows arbitrary overwrites of files that the Nix process can write to. This happens because the Nix process follows symbolic links during the registration of fixed-output derivation outputs, which can point to arbitrary locations in the filesystem.

Specifically, during sandboxed Linux builds, a symlink can be created by the derivation builder inside the build chroot pointing to any file on the system. When the Nix process (usually running as root in multi-user setups) registers the output, it follows this symlink and overwrites the target file with the build output. This flaw allows users who can submit builds to the Nix daemon to overwrite sensitive files and potentially gain root privileges.

Sandboxed macOS builds are not affected by this vulnerability. The issue is fixed in several Nix versions including 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.

Impact Analysis

This vulnerability can have severe impacts if you use Nix in a multi-user Linux environment. Since the Nix daemon typically runs as root, an attacker who can submit builds can exploit this flaw to overwrite arbitrary files on the system.

The main impact is that attackers can gain root privileges by modifying sensitive system files, which compromises the entire system's security. This can lead to unauthorized access, data manipulation, and potentially full system takeover.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Nix package manager to one of the fixed versions: 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6.

Since the vulnerability allows arbitrary file overwrites by users able to submit builds to the Nix daemon, restricting build submission permissions to trusted users only can reduce risk until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart