CVE-2026-39860: CWE-61: UNIX Symbolic Link (Symlink) Following in NixOS nix
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
AI Analysis
Technical Summary
The vulnerability arises from the Nix package manager's handling of fixed-output derivation output registration in sandboxed Linux builds. A symlink created by the derivation builder inside the build chroot can point to arbitrary filesystem locations. When the Nix daemon (running as root) follows this symlink during output registration, it overwrites the target file with the derivation's output. This allows any user authorized to submit builds to the Nix daemon to escalate privileges to root by modifying sensitive files. The flaw is a regression introduced by an incomplete fix for CVE-2024-27297. Multiple affected versions are listed, and the vulnerability is resolved in versions 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5.
Potential Impact
Successful exploitation allows privilege escalation to root on multi-user Nix installations by overwriting arbitrary files writable by the Nix daemon. This can compromise system integrity and security by modifying sensitive files. The vulnerability affects sandboxed Linux builds only and does not impact sandboxed macOS builds. The CVSS v3.1 score is 9.0 (critical), reflecting the high impact on confidentiality and integrity with no required user interaction and low attack complexity.
Mitigation Recommendations
A fix is available in Nix versions 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5. Users should upgrade to one of these patched versions to remediate the vulnerability. No vendor advisory content contradicts this; therefore, upgrading is the recommended action. There is no indication that this vulnerability is mitigated by configuration changes or that no action is required.
CVE-2026-39860: CWE-61: UNIX Symbolic Link (Symlink) Following in NixOS nix
Description
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the Nix package manager's handling of fixed-output derivation output registration in sandboxed Linux builds. A symlink created by the derivation builder inside the build chroot can point to arbitrary filesystem locations. When the Nix daemon (running as root) follows this symlink during output registration, it overwrites the target file with the derivation's output. This allows any user authorized to submit builds to the Nix daemon to escalate privileges to root by modifying sensitive files. The flaw is a regression introduced by an incomplete fix for CVE-2024-27297. Multiple affected versions are listed, and the vulnerability is resolved in versions 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5.
Potential Impact
Successful exploitation allows privilege escalation to root on multi-user Nix installations by overwriting arbitrary files writable by the Nix daemon. This can compromise system integrity and security by modifying sensitive files. The vulnerability affects sandboxed Linux builds only and does not impact sandboxed macOS builds. The CVSS v3.1 score is 9.0 (critical), reflecting the high impact on confidentiality and integrity with no required user interaction and low attack complexity.
Mitigation Recommendations
A fix is available in Nix versions 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5. Users should upgrade to one of these patched versions to remediate the vulnerability. No vendor advisory content contradicts this; therefore, upgrading is the recommended action. There is no indication that this vulnerability is mitigated by configuration changes or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T19:13:20.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6c32c1cc7ad14dab1ab39
Added to database: 4/8/2026, 9:05:48 PM
Last enriched: 4/8/2026, 9:21:18 PM
Last updated: 4/9/2026, 8:06:43 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.