Skip to main content

Nix / Lix EUVDEUVD-2026-27163

| CVE-2026-44028 HIGH
Uncontrolled Recursion (CWE-674)
2026-05-05 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 02:01 EUVD
Analysis Generated
May 05, 2026 - 01:30 vuln.today

DescriptionCVE.org

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).

AnalysisAI

Stack-to-heap overflow in Nix and Lix daemon's NAR parser enables local privilege escalation to root in multi-user installations. Low-privileged users with daemon access can trigger unbounded recursion in the coroutine-based parser to overwrite heap memory and achieve arbitrary code execution as the Nix daemon (root), provided ASLR can be bypassed. Vulnerability affects Nix 2.24.4-2.34.6 and Lix 2.93.0-2.95.1, with vendor-confirmed patches released across multiple version branches. CVSS vector indicates local attack with high complexity but cross-scope privilege escalation, consistent with the EPSS score suggesting targeted exploitation scenarios rather than mass scanning.

Technical ContextAI

The vulnerability exists in the NAR (Nix Archive) format parser, a critical component of both Nix and Lix package managers used for serializing filesystem objects. The parser runs on a coroutine stack allocated without guard pages-a memory protection mechanism that normally triggers faults on overflow. When processing maliciously crafted NAR archives with deeply nested structures, unbounded recursion exhausts the coroutine stack, causing it to overflow into adjacent heap memory. This is a CWE-674 (Uncontrolled Recursion) vulnerability that manifests as memory corruption. In multi-user Nix installations, the nix-daemon process runs with root privileges to manage the shared /nix/store, making it a high-value target. The coroutine implementation detail is specific to the asynchronous I/O architecture introduced in Nix 2.24.4 and Lix 2.93.0, explaining why earlier versions are unaffected. ASLR (Address Space Layout Randomization) bypass is required for reliable exploitation, but local attackers often have sufficient information leakage vectors to defeat ASLR.

RemediationAI

Immediately upgrade to patched versions: For Nix, upgrade to 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7 depending on your current major/minor branch. For Lix, upgrade to 2.95.2, 2.94.2, or 2.93.4. Patches are available via normal distribution channels (nixpkgs, system package managers, or direct installation from https://nixos.org). If immediate patching is not feasible, restrict nix-daemon access by modifying the allowed-users configuration in /etc/nix/nix.conf to limit daemon connections to only trusted administrative users rather than the default of all system users-this significantly reduces attack surface but breaks workflows requiring unprivileged Nix operations. Alternatively, convert multi-user installations to single-user mode on systems where all users are equally trusted, though this eliminates the shared store benefits and may require significant reconfiguration. For high-security environments, consider running Nix operations in isolated containers or VMs until patching is complete. Review audit logs for suspicious NAR file processing or unexpected daemon activity, though exploitation may be difficult to detect post-facto. The allowed-users restriction trades off convenience for security and may disrupt CI/CD pipelines or development workflows.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-27163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy