Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
AnalysisAI
Stack-to-heap overflow in Nix and Lix daemon's NAR parser enables local privilege escalation to root in multi-user installations. Low-privileged users with daemon access can trigger unbounded recursion in the coroutine-based parser to overwrite heap memory and achieve arbitrary code execution as the Nix daemon (root), provided ASLR can be bypassed. Vulnerability affects Nix 2.24.4-2.34.6 and Lix 2.93.0-2.95.1, with vendor-confirmed patches released across multiple version branches. CVSS vector indicates local attack with high complexity but cross-scope privilege escalation, consistent with the EPSS score suggesting targeted exploitation scenarios rather than mass scanning.
Technical ContextAI
The vulnerability exists in the NAR (Nix Archive) format parser, a critical component of both Nix and Lix package managers used for serializing filesystem objects. The parser runs on a coroutine stack allocated without guard pages-a memory protection mechanism that normally triggers faults on overflow. When processing maliciously crafted NAR archives with deeply nested structures, unbounded recursion exhausts the coroutine stack, causing it to overflow into adjacent heap memory. This is a CWE-674 (Uncontrolled Recursion) vulnerability that manifests as memory corruption. In multi-user Nix installations, the nix-daemon process runs with root privileges to manage the shared /nix/store, making it a high-value target. The coroutine implementation detail is specific to the asynchronous I/O architecture introduced in Nix 2.24.4 and Lix 2.93.0, explaining why earlier versions are unaffected. ASLR (Address Space Layout Randomization) bypass is required for reliable exploitation, but local attackers often have sufficient information leakage vectors to defeat ASLR.
RemediationAI
Immediately upgrade to patched versions: For Nix, upgrade to 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7 depending on your current major/minor branch. For Lix, upgrade to 2.95.2, 2.94.2, or 2.93.4. Patches are available via normal distribution channels (nixpkgs, system package managers, or direct installation from https://nixos.org). If immediate patching is not feasible, restrict nix-daemon access by modifying the allowed-users configuration in /etc/nix/nix.conf to limit daemon connections to only trusted administrative users rather than the default of all system users-this significantly reduces attack surface but breaks workflows requiring unprivileged Nix operations. Alternatively, convert multi-user installations to single-user mode on systems where all users are equally trusted, though this eliminates the shared store benefits and may require significant reconfiguration. For high-security environments, consider running Nix operations in isolated containers or VMs until patching is complete. Review audit logs for suspicious NAR file processing or unexpected daemon activity, though exploitation may be difficult to detect post-facto. The allowed-users restriction trades off convenience for security and may disrupt CI/CD pipelines or development workflows.
Same weakness CWE-674 – Uncontrolled Recursion
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27163