Nix, a package manager for Unix-like systems, contains a critical vulnerability (CVE-2026-39860) due to improper handling of symbolic links during fixed-output derivation output registration in sandboxed Linux builds. The flaw allows an attacker who can submit builds to the Nix daemon (running as root in multi-user setups) to create symlinks pointing to arbitrary filesystem locations inside the build chroot. When the Nix process follows these symlinks during output registration, it overwrites files writable by the daemon, enabling privilege escalation to root. This vulnerability is a regression from a previous fix (CVE-2024-27297). It affects multiple versions of Nix prior to the fixed releases 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5. Sandboxed macOS builds are not affected. The CVSS v3.1 base score is 9.0, indicating critical severity.

Exploitation of this vulnerability allows any user authorized to submit builds to the Nix daemon in multi-user installations to overwrite arbitrary files writable by the daemon, including sensitive system files. This can lead to full root privilege escalation on affected Linux systems. The impact is critical due to the potential for complete system compromise. Sandboxed macOS builds are unaffected, limiting the impact to Linux environments.

A fix for this vulnerability is available in Nix versions 2.28.6, 2.29.3, 2.30.4, 2.31.4, 2.32.7, 2.33.4, and 2.34.5. Users should upgrade to one of these versions to remediate the issue. There is no vendor advisory content indicating alternative mitigations or that no action is required. Patch status is confirmed by the provided version information. Users running affected versions should prioritize updating to a fixed release to prevent exploitation.