What is CVE-2026-39860?

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically...

How severe is CVE-2026-39860?

CVE-2026-39860 is rated critical severity with a CVSS score of 9 out of 10.

What products are affected by CVE-2026-39860?

CVE-2026-39860 affects Nixos Nix, Linux Kernel. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-39860?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Nix Privilege Escalation (CVE-2026-39860)

Patch now - CVE-2026-39860 is a critical privilege escalation in Nix package manager versions prior to 2.34.5 that lets an attacker with sandboxed build access overwrite arbitrary host files via a symlink to gain root access. Immediate patching is required to prevent full system compromise.

Overview

A critical vulnerability, CVE-2026-39860, exists in the Nix package manager. This flaw is a regression related to a previous fix for CVE-2024-27297. It allows an attacker with local user access to escalate their privileges to root on affected systems, fundamentally breaking the security boundary of the build sandbox.

Vulnerability Details

In Nix, fixed-output derivations are used for builds where the output is known in advance, like downloading source code. A bug in the output registration process for these derivations on Linux creates a path for privilege escalation. During a sandboxed build, the builder process can create a symbolic link (symlink) at a specific temporary location inside the build environment. When the Nix daemon (typically running as root) later copies the build output, it incorrectly follows this attacker-controlled symlink. This causes the daemon to write the build output to any location the symlink points to on the host filesystem, not the intended sandboxed location.

Impact

The impact is severe, particularly in multi-user Nix installations, which is the default configuration. Any user permitted to submit builds to the Nix daemon can exploit this to overwrite critical system files (like /etc/passwd or /etc/sudoers) and gain full root privileges. The default allowed-users setting permits all users, meaning this vulnerability can turn any standard user account into a pathway for complete system compromise.

Affected Versions and Remediation

This vulnerability affects sandboxed Linux builds in Nix; macOS builds are not affected. You are vulnerable if you are running an unpatched version of Nix.

Immediate Action: Update your Nix installation to one of the patched versions immediately:

Nix 2.34.5
Nix 2.33.4
Nix 2.32.7
Nix 2.31.4
Nix 2.30.4
Nix 2.29.3
Nix 2.28.6

Update using your system’s package manager or via the Nix command line. If an immediate update is impossible, consider restricting the allowed-users setting in the Nix daemon configuration (nix.conf) to only essential, trusted users as a temporary mitigation. However, patching is the only complete solution.

Security Insight

This vulnerability highlights the persistent danger of regression bugs in security fixes, where a patch for one flaw inadvertently introduces another. Similar to the recent CrackArmor flaws in Linux AppArmor, it shows how complex security boundaries in build and container systems can be subtly undermined, turning a feature designed for safety (like a sandbox) into a vector for attack.

Nix Privilege Escalation (CVE-2026-39860)

Overview

Vulnerability Details

Impact

Affected Versions and Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Overview

Vulnerability Details

Impact

Affected Versions and Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Never Miss a Critical Alert