Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <fbbaf5ed-23ad-4d45-92a6-1f620e422be4@linuxlounge.net>
Date: Mon, 4 May 2026 23:26:38 +0200
From: Martin Weinelt <martin@...uxlounge.net>
To: oss-security@...ts.openwall.com
Subject: Nix/Lix: local privilege escalation in daemon process

Nix is a package manager and build system for Unix-like systems. Lix is 
a community-maintained fork of Nix. Both provide a daemon used in 
multi-user installations to perform privileged build and store operations.

The Nix and Lix projects are issuing a coordinated security advisory for 
vulnerabilities in their daemon implementations.

A buffer overflow in the daemon may allow a local attacker with access 
to the daemon interface to achieve arbitrary code execution as the 
daemon user (root in typical multi-user installations).

CVE assignment is pending.

Fixes are available, and users are strongly encouraged to upgrade.

For full details (affected versions, fixed releases, mitigations), see:

https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407


Martin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.