CVE-2026-39860 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: April 8, 2026
Nix - Privilege Escalation
Published: April 8, 2026Updated: April 8, 2026
Overview
Nix < 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6 contains a privilege escalation caused by symlink following during fixed-output derivation output registration in sandboxed Linux builds, letting users with build submission rights gain root privileges, exploit requires multi-user installation with build submission access.
Severity & Score
Severity: Critical
CVSS Score: 9.0
Impact
Users able to submit builds can gain root privileges by overwriting sensitive files via symlink exploitation.
Mitigation
Update to versions 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6 or later.
References
- https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj
- https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
- https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a
- https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688
- https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a
- https://github.com/NixOS/nix/pull/10178
Related Resources
Details
- CVE ID
- CVE-2026-39860
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-61
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N