CVE-2026-44028
Deferred Deferred - Pending Action
Stack Overflow in Nix Package Manager

Publication date: 2026-05-05

Last updated on: 2026-05-09

Assigner: MITRE

Description
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-09
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44028
EUVD
EUVD-2026-27163
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
nix nix 2.34.7
nix nix 2.33.6
nix nix 2.32.8
nix nix 2.31.5
nix nix 2.30.5
nix nix 2.29.4
nix nix 2.28.7
lix lix 2.95.2
lix lix 2.94.2
lix lix 2.93.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Nix before version 2.34.7 and Lix before version 2.95.2. It involves unbounded recursion in the NAR (Nix Archive) parser, which can cause a stack-to-heap overflow when the parser runs on a coroutine stack.

Because the stack is allocated without a guard page, the overflow can overwrite memory on the heap. This memory corruption could allow an attacker to execute arbitrary code as the Nix daemon, which runs with root privileges in multi-user installations.

The vulnerability can be exploited by any user able to connect to the daemon, which by default includes all users unless restricted by configuration.

Impact Analysis

This vulnerability can lead to arbitrary code execution with root privileges on systems running vulnerable versions of Nix or Lix. An attacker who can connect to the Nix daemon could exploit this flaw to gain elevated access and potentially take full control of the affected system.

Because the Nix daemon runs as root in multi-user environments, exploitation could compromise system integrity and security, leading to unauthorized actions, data breaches, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Nix to one of the fixed versions: 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, or 2.29.4 (for versions introduced in 2.24.4). For Lix, upgrade to 2.95.2, 2.94.2, or 2.93.4 (introduced in 2.93.0).

Additionally, review and restrict the allowed-users setting for the Nix daemon to limit which users can connect, reducing the attack surface.

Detection Guidance

The vulnerability affects Nix and Lix daemon implementations before certain fixed versions. Detection primarily involves verifying the installed versions of Nix or Lix on your system to determine if they are vulnerable.

You can check the installed version of Nix or Lix using the following commands:

  • nix --version
  • lix --version

If the version is older than the fixed versions (Nix versions before 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7; Lix versions before 2.95.2, 2.94.2, and 2.93.4), your system is vulnerable.

Since the vulnerability requires local access to the Nix or Lix daemon, you should also check which users are allowed to connect to the daemon by inspecting the daemon configuration, particularly the allowed-users and trusted-users settings.

There are no specific network or system scanning commands provided in the resources to detect exploitation attempts or the vulnerability directly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart