CVE-2026-44028: CWE-674 Uncontrolled Recursion in NixOS Nix
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
AI Analysis
Technical Summary
This vulnerability arises from unbounded recursion in the NAR parser of Nix before version 2.34.7 and Lix before 2.95.2. The stack allocated for the coroutine parser lacks a guard page, enabling a stack overflow to overwrite heap memory. If address space layout randomization (ASLR) is bypassed, this memory corruption can lead to arbitrary code execution with root privileges via the Nix daemon. Exploitation requires local access to the daemon, which is typically accessible to all users unless restricted by configuration. The issue was introduced in Nix version 2.24.4 and has been fixed in multiple subsequent versions including 2.34.7 and others.
Potential Impact
Successful exploitation allows an attacker with local access to the Nix daemon to execute arbitrary code with root privileges. This can lead to full system compromise on multi-user installations where the daemon runs as root. The vulnerability affects confidentiality and integrity with high impact, but does not affect availability. Exploitation requires local access and some conditions such as bypassing ASLR.
Mitigation Recommendations
Fixed versions of Nix and Lix have been released (Nix 2.34.7 and later, Lix 2.95.2 and later). Users should upgrade to these versions or later to remediate this vulnerability. No vendor advisory content is provided here, but the description explicitly lists fixed versions. Until upgraded, restricting access to the Nix daemon via the allowed-users setting can reduce exposure. Patch status is confirmed by the provided fixed version information.
CVE-2026-44028: CWE-674 Uncontrolled Recursion in NixOS Nix
Description
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from unbounded recursion in the NAR parser of Nix before version 2.34.7 and Lix before 2.95.2. The stack allocated for the coroutine parser lacks a guard page, enabling a stack overflow to overwrite heap memory. If address space layout randomization (ASLR) is bypassed, this memory corruption can lead to arbitrary code execution with root privileges via the Nix daemon. Exploitation requires local access to the daemon, which is typically accessible to all users unless restricted by configuration. The issue was introduced in Nix version 2.24.4 and has been fixed in multiple subsequent versions including 2.34.7 and others.
Potential Impact
Successful exploitation allows an attacker with local access to the Nix daemon to execute arbitrary code with root privileges. This can lead to full system compromise on multi-user installations where the daemon runs as root. The vulnerability affects confidentiality and integrity with high impact, but does not affect availability. Exploitation requires local access and some conditions such as bypassing ASLR.
Mitigation Recommendations
Fixed versions of Nix and Lix have been released (Nix 2.34.7 and later, Lix 2.95.2 and later). Users should upgrade to these versions or later to remediate this vulnerability. No vendor advisory content is provided here, but the description explicitly lists fixed versions. Until upgraded, restricting access to the Nix daemon via the allowed-users setting can reduce exposure. Patch status is confirmed by the provided fixed version information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-05T00:29:44.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f94292cbff5d86107871d5
Added to database: 5/5/2026, 1:06:26 AM
Last enriched: 5/12/2026, 5:57:59 AM
Last updated: 6/18/2026, 11:45:29 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.