Nixos Nix
14 CVEs affecting Nixos Nix. Latest disclosed: 2026-05-05. Critical: 2, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-45593 | Critical | 9.1 | 2024-09-10 | Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when u… |
CVE-2026-39860 | Critical | 9.0 | 2026-04-08 | Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix pr… |
CVE-2025-53819 | High | 7.9 | 2025-07-14 | Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build… |
CVE-2026-44028 | High | 7.5 | 2026-05-05 | An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow… |
CVE-2024-27297 | Medium | 6.3 | 2024-03-11 | Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another p… |
CVE-2024-47174 | Medium | 5.9 | 2024-09-26 | Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verif… |
CVE-2025-52993 | Medium | 5.6 | 2025-06-27 | A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbl… |
CVE-2026-44029 | Medium | 5.3 | 2026-05-05 | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" direct… |
CVE-2024-38531 | Low | 3.6 | 2024-06-28 | Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change… |
CVE-2025-52992 | Low | 3.2 | 2025-06-27 | The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the conten… |
CVE-2025-52991 | Low | 3.2 | 2025-06-27 | The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard user… |
CVE-2025-46415 | Low | 3.2 | 2025-06-27 | A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28… |
CVE-2025-46416 | Low | 2.9 | 2025-06-27 | The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld… |
CVE-2024-51481 | | 2024-10-31 | Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl… |