What is CVE-2026-39860?

CVE-2026-39860 is a critical-severity vulnerability in Nixos Nix, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 9.0/10. Published 2026-04-08.

How severe is CVE-2026-39860?

Critical severity. CVSS v3 base score is 9.0 out of 10.

Vulnerability in Nixos Nix

CVE-2026-39860

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in mult…

EPSS: 0.000 (2.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Nixos Nix — versions >= 2.21, < 2.28.6, >= 2.29.0, < 2.29.3, >= 2.30.0, < 2.30.4

Weakness classification (CWE)

CWE-61 — UNIX Symbolic Link (Symlink) Following

References

https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj (x_refsource_CONFIRM)
https://github.com/NixOS/nix/pull/10178 (x_refsource_MISC)
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 (x_refsource_MISC)
https://github.com/NixOS/nix/commit/4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a (x_refsource_MISC)
https://github.com/NixOS/nix/commit/7794354a982449927ee7401cdeb573ddd16c4688 (x_refsource_MISC)
https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39860?: CVE-2026-39860 is a critical-severity vulnerability in Nixos Nix, classified under UNIX Symbolic Link (Symlink) Following. CVSS score: 9.0/10. Published 2026-04-08.
How severe is CVE-2026-39860?: Critical severity. CVSS v3 base score is 9.0 out of 10.