Brief Summary: CVE-2026-44028 Local Privilege Escalation in Nix and Lix via NAR Parser Stack Overflow

Introduction

A locally exploitable stack to heap overflow in the Nix and Lix package managers allows any user with daemon access to potentially execute arbitrary code as root, turning a default configuration into a privilege escalation path. The vulnerability, tracked as CVE-2026-44028, sits in the Nix Archive (NAR) parser and affects a wide range of Nix and Lix release branches dating back to versions 2.24.4 and 2.93.0 respectively.

Nix is a functional package manager and build system designed for reproducible, declarative deployments. It underpins the NixOS Linux distribution and has a growing presence in CI/CD pipelines, development environments, and infrastructure management across the industry. Lix is an independent, community maintained fork of Nix that aims for full compatibility while focusing on correctness and usability. Both projects share the same daemon architecture and, consequently, the same vulnerability.

Technical Information

Root Cause: Unbounded Recursion on an Unguarded Coroutine Stack

The core issue is unbounded recursion in the NAR directory parser. NAR is the serialization format used by Nix to represent file system objects (files, directories, symlinks) for transport and storage. When the parser encounters nested directories, each level of nesting adds a new frame to the call stack. Under normal operation this is fine, but the parser runs on a coroutine stack that was allocated without a guard page.

A guard page is a region of memory marked as inaccessible at the boundary of a stack allocation. When a stack grows into a guard page, the operating system raises a fault, preventing the overflow from corrupting adjacent memory. Without this protection, the coroutine stack can silently grow past its allocated boundary and overwrite data on the heap.

Attack Flow

The exploitation path proceeds as follows:

Local access to the daemon. The attacker needs to connect to the Nix daemon. In multi-user Nix installations, the daemon runs as root. The allowed-users configuration defaults to *, meaning every local user can connect. This is the default on NixOS and standard multi-user Nix installs.
Crafting a malicious NAR payload. The attacker constructs a NAR archive with deeply nested directory structures. When the daemon's NAR parser processes this payload, each directory level triggers another recursive call.
Stack to heap overflow. Because the coroutine stack lacks a guard page, the recursion eventually causes the stack to overflow into adjacent heap memory. The attacker controls the depth and content of the NAR structure, giving them influence over what gets written to the heap.
Heap corruption and code execution. By carefully crafting the NAR payload, the attacker can overwrite heap metadata or function pointers, hijacking the daemon's execution flow. Since the daemon runs as root, this yields arbitrary code execution with root privileges.
ASLR bypass requirement. The exploit requires knowledge of memory layout to reliably target heap structures. ASLR randomizes this layout, so the attacker must either bypass or weaken ASLR. One potential avenue is brute forcing: repeatedly crashing forked worker processes to probe the address space. The pre-patch daemon did not limit worker crashes, making this approach feasible given enough attempts.

CVSS Breakdown

The CVSS v3.1 vector is AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, yielding a score of 7.5. The key factors:

Attack Vector: Local means the attacker must have local system access.
Attack Complexity: High reflects the ASLR bypass requirement.
Privileges Required: Low because any local user can connect to the daemon by default.
Scope: Changed indicates the attacker escapes the user privilege boundary to compromise the root context.
Confidentiality and Integrity: High because root access grants full read/write over the system.

Defense in Depth in the Patches

The upstream fixes go well beyond capping recursion depth. The patches introduce several structural hardening measures:

Component	Before Patch	After Patch
NAR recursion depth	Unbounded	Limited to 64 levels during parsing and serialization
Coroutine stack allocation	No guard page	Allocated with a guard page
File name length	Unbounded	Bounded to 255 bytes
Symlink target length	Unbounded	Bounded to 4096 bytes; checked for invalid contents
Forked worker crash limit	Unlimited	Limited to 64 crashes to mitigate ASLR brute forcing

The worker crash limit is particularly noteworthy. Even if an attacker finds a way to trigger the overflow post-patch (which the recursion limit should prevent), the 64 crash limit makes ASLR brute forcing impractical. This is a good example of layered defense: no single fix is relied upon exclusively.

Scope Clarification

Guix, another functional package manager that shares conceptual lineage with Nix, is explicitly not affected by this vulnerability. The issue is specific to the C++ implementations used by Nix and Lix.

Substituters (remote binary caches) could theoretically deliver a malicious NAR, but they cannot make enough attempts to reliably exploit the vulnerability, limiting the practical attack surface to direct daemon connections.

Affected Systems and Versions

Nix:

Introduced in version 2.24.4
Fixed in versions 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7
All versions from 2.24.4 up to (but not including) the fixed release on each branch are vulnerable

Lix:

Introduced in version 2.93.0
Fixed in versions 2.95.2, 2.94.2, and 2.93.4
All versions from 2.93.0 up to (but not including) the fixed release on each branch are vulnerable

Vulnerable configurations:

Multi-user Nix or Lix installations where the daemon runs as root (the standard deployment model)
Systems where allowed-users is set to * (the default), granting all local users daemon access
Systems without maximized ASLR entropy are at higher risk of successful exploitation

CVE Analysis

Experimental AI-Generated Content

Introduction

Technical Information