Introduction
A regression introduced while fixing a previous Nix security flaw has opened a direct path to root privilege escalation on every multi-user Linux installation running an unpatched version of the Nix package manager. Any local user who can submit a build to the Nix daemon, which by default means every user on the system, can overwrite arbitrary files owned by root by exploiting symlink following during fixed-output derivation (FOD) output registration.
Nix is a cross-platform package manager for Unix-like systems, originally created in 2003, that underpins the NixOS Linux distribution and is widely used in reproducible build pipelines, CI/CD infrastructure, and developer environments. Its functional approach to package management has made it a foundational tool in the DevOps and infrastructure-as-code ecosystem. This vulnerability, scored at CVSS 9.0, is particularly relevant because Nix's multi-user daemon model is the standard deployment pattern for shared build infrastructure and NixOS systems.
Technical Information
Root Cause
CVE-2026-39860 is a direct consequence of the fix applied for CVE-2024-27297, a vulnerability disclosed in March 2024 that allowed corruption of fixed-output derivations on Linux. The 2024 flaw involved file descriptors being sent to files in the Nix store via Unix domain sockets in the abstract namespace after Nix had already registered the path as valid and immutable. The remediation for that issue, specifically commit a3163b9, modified src/libstore/build/local-derivation-goal.cc to change the copy/rename ordering for FOD temporary outputs. However, this change placed the .tmp copy destination inside the build chroot, creating a new vulnerability.
The core problem is a UNIX symbolic link following issue, classified as CWE-61. The Nix daemon, running as root in the host mount namespace, performs output registration by copying derivation outputs from a temporary location. Because this temporary location resides inside the build chroot, the sandboxed (and potentially malicious) builder process has write access to it. The builder can replace the expected file at that path with a symlink pointing to any location on the host filesystem. When the daemon follows that symlink, it overwrites the target with the derivation's output contents.
This is fundamentally a cross-namespace trust violation: a privileged process in the host namespace improperly trusts a filesystem path created within an unprivileged, sandboxed namespace. Feedly's threat intelligence maps this to CAPEC-27 (Leveraging Race Conditions via Symbolic Links), reflecting the TOCTOU (time-of-check/time-of-use) nature of the flaw.
Attack Flow
The exploitation path proceeds as follows:
-
Attacker submits a malicious fixed-output derivation build to the Nix daemon. In the default multi-user configuration, the
allowed-userssetting permits all local users to do this. -
Inside the build sandbox, the derivation builder creates a symlink at the path where the Nix daemon expects to find the temporary output file (
<actualPath>.tmp). This symlink points to a sensitive file on the host filesystem, such as/etc/shadow,/etc/passwd, or/etc/sudoers. -
During output registration, the Nix daemon process, running as root in the host mount namespace, attempts to copy the derivation output from the temporary path. It follows the symlink transparently.
-
The target file on the host filesystem is overwritten with the contents of the derivation's output. Since the attacker controls the derivation output, they can write arbitrary content to the target file.
-
The attacker achieves root privilege escalation by, for example, writing a modified
/etc/shadowwith a known root password, or modifying/etc/sudoersto grant themselves unrestricted sudo access.
Scope Limitations
This vulnerability is isolated to sandboxed Linux builds. Sandboxed macOS builds are unaffected because the macOS sandbox implementation takes a different code path for output registration. Single-user Nix installations are technically vulnerable but the impact is limited since the daemon runs with the same privileges as the user.
Detection Methods
Vulnerability Scanner Coverage
Tenable has published a Nessus plugin, Plugin ID 305572 (filename: unpatched_CVE_2026_39860.nasl), specifically for this vulnerability. Published on April 8, 2026, this is a local check that requires the Nessus Agent running on the target host. The plugin checks for the presence of the vulnerable nix package on Debian-based Linux distributions (Debian 11 through 14) using CPE identifiers such as cpe:/o:debian:debian_linux and p-cpe:/a:debian:debian_linux:nix. As of the plugin's publish date, the Debian nix package remains unfixed across all Debian releases (bullseye through sid), so the plugin will flag any system with Nix installed via the Debian package repository. No other vulnerability scanner plugins (OpenVAS, Qualys) have been publicly confirmed yet.
Package Version Auditing
The most direct and reliable detection method is checking the installed Nix version. Running nix --version on your systems and comparing against the patched thresholds is the fastest triage method.
The vulnerable version ranges are:
- Nix >= 2.21 (where the vulnerable commit landed in mainline)
- Backported patch releases: >= 2.18.2, >= 2.19.4, >= 2.20.5
The patched versions are: 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
Notably, Lix users are not affected, as Lix took a different remediation path for the original CVE-2024-27297.
Debian Security Tracker
The Debian Security Tracker lists this CVE with Bug #1133004. As of today, the nix source package remains marked as "vulnerable" across all Debian releases, including sid (unstable), which ships version 2.34.3+dfsg-1. This is below the patched threshold of 2.34.5. Organizations relying on Debian-packaged Nix should monitor the tracker for updates and consider using upstream released patched versions directly.
Behavioral Indicators and Log Monitoring
While no formal YARA rules, Sigma rules, Snort/Suricata signatures, or published IoCs exist for this vulnerability, the nature of the exploit offers some observational guidance:
Symlink creation in build chroots: The attack involves creating a symlink at the path <actualPath>.tmp inside the build chroot during fixed-output derivation builds. This symlink points to a sensitive file on the host filesystem. Monitoring for unexpected symlinks inside Nix build directories (/nix/store/.../) that point outside of /nix/store could indicate exploitation attempts.
Unexpected file modifications by the Nix daemon: Since successful exploitation results in the Nix daemon (running as root) overwriting arbitrary files with derivation output contents, monitoring for unexpected writes by the nix-daemon process to sensitive system files (e.g., /etc/passwd, /etc/shadow, /etc/sudoers, systemd units) could serve as a post-compromise detection signal. File integrity monitoring (FIM) tools like AIDE, OSSEC, or Tripwire are relevant here.
Landlock hardening logs (patched versions): Patched versions (2.31 through 2.34) include a defense-in-depth measure using the Linux landlock LSM with LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET to prevent cooperating FODs from communicating via abstract sockets. On kernels >= 6.12 with landlock enabled, the Nix daemon will log "sandbox setup: applied landlock sandboxing" during builds. When the hardening blocks a smuggling attempt, messages like "connect: Operation not permitted" will appear. The absence of these landlock log messages on a patched system running a >= 6.12 kernel could indicate that the hardening is not functioning as expected.
Attack Pattern Classification
Feedly's threat intelligence maps this CVE to CAPEC-27: Leveraging Race Conditions via Symbolic Links, which provides a useful framework for understanding the detection surface. The core behavior involves a TOCTOU race condition where the build chroot path is inspected as a regular file, but by the time the Nix daemon acts on it, it has been replaced by a malicious symlink.
Affected Systems and Versions
The vulnerability affects Nix package manager installations on Linux in the following version ranges:
| Environment Type | Vulnerability Status | Impact Level | Priority |
|---|---|---|---|
| Linux Multi-User (NixOS) | Vulnerable | Critical (Root Escalation) | P1 (Immediate) |
| Linux Single-User | Vulnerable | Low (Same User Privilege) | P3 (Standard) |
| macOS Sandboxed | Unaffected | None | P4 (Monitor) |
Vulnerable version ranges:
- Nix >= 2.21 (mainline)
- Backported patch releases: >= 2.18.2, >= 2.19.4, >= 2.20.5
Patched versions:
| Branch | Patched Version |
|---|---|
| 2.34 | 2.34.5 |
| 2.33 | 2.33.4 |
| 2.32 | 2.32.7 |
| 2.31 | 2.31.4 |
| 2.30 | 2.30.4 |
| 2.29 | 2.29.3 |
| 2.28 | 2.28.6 |
The default allowed-users configuration in multi-user installations permits all local users to submit builds to the Nix daemon, making any multi-user Linux installation with an unpatched Nix version exploitable by any local user. Lix users are not affected, as Lix took a different remediation path for the original CVE-2024-27297.
The Debian nix source package remains vulnerable across all Debian releases as of April 8, 2026, including sid (unstable) which ships version 2.34.3+dfsg-1.
Vendor Security History
The Nix project has a concentrated history of security issues around fixed-output derivations. In March 2024, CVE-2024-27297 was disclosed, revealing that fixed-output derivations could be corrupted on Linux after Nix had registered the path as valid and immutable. That vulnerability involved file descriptors being sent to files in the Nix store via Unix domain sockets in the abstract namespace. The fix for CVE-2024-27297 directly introduced the regression that became CVE-2026-39860, demonstrating how security patches in complex sandboxing code can inadvertently create new attack surfaces.
On the positive side, the Nix project demonstrated strong responsiveness to CVE-2026-39860 by coordinating the advisory through official channels and releasing patches across seven different release branches simultaneously (2.28.6 through 2.34.5). The patched versions also include defense-in-depth measures using the Linux landlock LSM to further harden the FOD build process.
References
- NVD: CVE-2026-39860
- GitHub Security Advisory: GHSA-g3g9-5vj6-r3gj
- NixOS Discourse: Nix Security Advisory
- GitHub Security Advisory for CVE-2024-27297: GHSA-2ffj-w4mj-pg37
- Commit: Copy the output of fixed-output derivations before registering them (244f3ee)
- Commit: Copy the output of fixed-output derivations before registering them (4bc5a35)
- Commit: Fix sandbox escape patch (7794354)
- Commit: Fix the outputs moving on macOS (a3163b9)
- Pull Request #10178
- Tenable Nessus Plugin 305572
- Debian Security Tracker: CVE-2026-39860
- Feedly CVE Intelligence: CVE-2026-39860
