Skip to main content

Apple EUVDEUVD-2026-20626

| CVE-2026-39860 CRITICAL
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-04-08 security-advisories@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
SUSE
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.32.7,2.31.4,2.33.4
EUVD ID Assigned
Apr 08, 2026 - 21:22 euvd
EUVD-2026-20626
Analysis Generated
Apr 08, 2026 - 21:22 vuln.today
CVE Published
Apr 08, 2026 - 21:17 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.

AnalysisAI

Local privilege escalation in Nix package manager daemon (versions prior to 2.34.5/2.33.4/2.32.7/2.31.4/2.30.4/2.29.3/2.28.6) allows unprivileged users to gain root access in multi-user Linux installations. Incomplete fix for CVE-2024-27297 permits symlink attacks during fixed-output derivation registration, enabling arbitrary file overwrites as root. Attackers exploit sandboxed build registration by placing symlinks in temporary output paths, causing the daemon to follow symlinks and overwrite sensitive system files with controlled content. Affects default configurations where all users can submit builds. No public exploit identified at time of analysis.

Technical ContextAI

CWE-61 path traversal via symlink during output registration. The Nix daemon operates in host mount namespace while temporary output resides inside build chroot. Builder creates symlink at predictable temporary path; daemon follows symlink during file copy, writing derivation output to arbitrary filesystem locations. Sandboxing isolation failure between builder and daemon contexts enables privilege boundary violation.

RemediationAI

Vendor-released patches: upgrade to Nix 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6 depending on installed branch. Primary fix commits available at https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9, https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a, https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688, and https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a. Official security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj. Temporary mitigation for multi-user installations: restrict allowed-users in nix.conf to trusted administrators only, preventing untrusted build submissions. Single-user installations (daemon not running as root) have reduced impact. Verify patched version post-upgrade via nix --version.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-20626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy