TL;DR
The GNU Guix project disclosed four GNU Guix vulnerabilities in early July 2026. Three affect the guix substitute helper, and one affects guix pull and guix time-machine. Together, they allow remote privilege escalation, store corruption, file disclosure, and file overwrites. CVE IDs are still pending.
Why it matters
The guix substitute helper runs whenever a system downloads a pre-built binary package. So the worst flaw triggers the moment a machine fetches a substitute. A malicious or impersonated substitute server can then write files anywhere the daemon user can.
When the daemon runs as root, that includes /etc/passwd. Notably, HTTPS does not stop the attack, because the signed metadata does not cover the download URL. All Guix systems are affected, though an unprivileged daemon limits the damage.
The remote path is broad. Any configured substitute server can exploit it, including servers found through the daemon’s –discover option. A man-in-the-middle attacker can do the same. Local abuse is just as easy, since any user can connect to the guix-daemon socket by default.
How the attack works
Arbitrary file writes during unpacking
The first flaw sits in restore-file, the routine that unpacks a substitute. Guix extracted each archive while downloading it, before it checked the hash. As a result, a rogue server could write arbitrary files before the hash check failed. The advisory notes the same code pattern caused CVE-2024-45593 in Nix.
This routine reaches beyond substitutes as well. The same restore-file code backs guix offload, guix archive –extract, and guix challenge. Each can be abused the same way when it handles untrusted input.
Substitute swapping and file:// abuse
The second flaw let a server return metadata that did not match the request. Consequently, one authorized substitute could stand in for another, forcing outdated and insecure packages onto a host. The third flaw accepted file:// URIs from untrusted local clients and followed symbolic links. Therefore, a local user could read files the daemon can access, such as a secret passphrase.
Channel path traversal
The fourth flaw affects guix pull and guix time-machine. A crafted channel name like “../../../../newfile” could create or overwrite files where the user has write permission. Because of strict content limits, this mostly means denial of service.
Exploitation status
No source reports exploitation in the wild. Likewise, no public proof-of-concept exists. The Guix team did publish a self-test script, yet that only checks whether a daemon is vulnerable. It is not an exploit.
Affected versions
Every Guix installation before the fix is affected. The issues span guix substitute, guix pull, and guix time-machine. Guix developers themselves found and reported the flaws, so this is a coordinated disclosure rather than an active attack.
The advisory gives no user count, though Guix ships thousands of packages to a wide audience. Systems on distributions other than Guix System have run the unprivileged daemon by default since version 1.5.0.
Patch and mitigation
The Guix team fixed the flaws across 11 commits in pull request #9665. Update both guix and guix-daemon to commit 897832f or any later commit. Updating only the client is not enough, since the daemon handles substitutes.
The fix hardens restore-file to reject unsafe entry names. Names must be unique, ordered, and free of slashes or null bytes. The patched code also refuses to follow symbolic links or reuse an existing target. In addition, substitutes now unpack in a temporary directory and move to the store only after the hash checks out.
As a short-term step, passing –no-substitutes blocks remote attacks on the first two flaws. However, it does not stop local exploitation, which needs the patch. For the channel flaw, avoid running guix pull or guix time-machine with an untrusted channels file.
One caveat matters during upgrades. A regression between July 2 and July 5 briefly broke substitutes on the unprivileged daemon, and the team has since fixed it. For the full technical breakdown, read the official GNU Guix security advisory, which also includes the self-test and upgrade steps.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.