Severity by source
AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Analysis
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Technical ContextAI
A race condition occurs when the behavior of software depends on the timing of events, such as the order of execution of threads or processes.
RemediationAI
Use proper synchronization mechanisms (locks, mutexes, atomic operations). Implement file locking for filesystem operations. Avoid TOCTOU patterns.
Same technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| plucky | ignored | end of life, was needs-triage |
| questing | DNE | - |
Debian
Bug #1108318| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | (unfixed) | end-of-life |
| bullseye (security) | vulnerable | 1.2.0-4+deb11u3 | - |
| sid | vulnerable | 1.4.0-9 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19426