CVE-2026-44028: CWE-674 Uncontrolled Recursion in NixOS Nix
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
AI Analysis
Technical Summary
This vulnerability arises from unbounded recursion in the NAR parser of Nix before version 2.34.7 and Lix before 2.95.2. The stack allocated for coroutine execution lacks a guard page, enabling a stack overflow to overwrite heap memory. This memory corruption can lead to arbitrary code execution with root privileges via the Nix daemon. Exploitation requires local access to the daemon, which by default allows all users. The issue is tracked as CWE-674 (Uncontrolled Recursion). Fixed versions for Nix start at 2.28.7 and later, and for Lix at 2.93.4 and later.
Potential Impact
Successful exploitation can result in arbitrary code execution with root privileges on systems running vulnerable versions of the Nix daemon in multi-user mode. This poses a significant risk as it compromises system integrity and confidentiality. The vulnerability requires local access and the ability to connect to the daemon, which by default is open to all users. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Fixed versions of Nix (2.34.7 and later) and Lix (2.95.2 and later) have been released to address this vulnerability. Users should upgrade to these versions or later to remediate the issue. Since the vendor advisory does not specify alternative mitigations or temporary fixes, patching is the recommended action. Additionally, reviewing and restricting the allowed-users setting for the Nix daemon can reduce exposure by limiting which users can connect to the daemon.
CVE-2026-44028: CWE-674 Uncontrolled Recursion in NixOS Nix
Description
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from unbounded recursion in the NAR parser of Nix before version 2.34.7 and Lix before 2.95.2. The stack allocated for coroutine execution lacks a guard page, enabling a stack overflow to overwrite heap memory. This memory corruption can lead to arbitrary code execution with root privileges via the Nix daemon. Exploitation requires local access to the daemon, which by default allows all users. The issue is tracked as CWE-674 (Uncontrolled Recursion). Fixed versions for Nix start at 2.28.7 and later, and for Lix at 2.93.4 and later.
Potential Impact
Successful exploitation can result in arbitrary code execution with root privileges on systems running vulnerable versions of the Nix daemon in multi-user mode. This poses a significant risk as it compromises system integrity and confidentiality. The vulnerability requires local access and the ability to connect to the daemon, which by default is open to all users. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Fixed versions of Nix (2.34.7 and later) and Lix (2.95.2 and later) have been released to address this vulnerability. Users should upgrade to these versions or later to remediate the issue. Since the vendor advisory does not specify alternative mitigations or temporary fixes, patching is the recommended action. Additionally, reviewing and restricting the allowed-users setting for the Nix daemon can reduce exposure by limiting which users can connect to the daemon.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-05T00:29:44.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f94292cbff5d86107871d5
Added to database: 5/5/2026, 1:06:26 AM
Last enriched: 5/5/2026, 1:21:35 AM
Last updated: 5/5/2026, 2:16:35 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.