critical Code Vulnerability
Nix Daemon Privilege Escalation to Root via Symlink Following
| CVE | CVE-2026-39860 |
| Severity | critical |
| Status | open |
| Date | April 8, 2026 |
| Affects | Nix multi-user installations on Linux |
| Source | discourse.nixos.org |
Details
CVSS 9.0. Bug in the fix for CVE-2024-27297 allows symlink following during fixed-output derivation output registration. Any user allowed to submit builds (all users by default) can achieve arbitrary file writes as root and subsequent privilege escalation. Fix: Nix 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, 2.28.6.