Ddos 
Nix, the robust package manager celebrated for bringing reliability and reproducibility to Linux and Unix systems, has issued a high-priority security fix for a dangerous memory corruption vulnerability. The flaw, tracked as CVE-2026-44028 with a CVSS score of 7.5, could allow a standard user to compromise the Nix daemon and gain root privileges on a multi-user system.
The vulnerability targets the Nix Archive (NAR) parser, a core component responsible for handling the specialized archive format Nix uses to distribute packages.
The technical root of the issue lies in “unbounded recursion” within the NAR directory parser. When the parser encounters a deeply nested directory structure, it calls itself repeatedly, consuming stack memory with each level.
Because the parser was running on a coroutine stackβa smaller, specialized memory segmentβthe recursion could quickly exhaust the available space. Compounding the risk, this stack was allocated without a “guard page,” a standard security feature that acts as a buffer to catch overflows.
The result of this oversight is severe:
- Memory Overwrite: A stack overflow could silently “spill over” and overwrite memory on the system heap.
- Arbitrary Code Execution: If an attacker can bypass ASLR (Address Space Layout Randomization) hardening, they can leverage this overflow to execute malicious code.
- Privilege Escalation: Since the Nix daemon runs as root in multi-user installations, a successful exploit grants the attacker total control over the host.
By default, any user capable of connecting to the Nix daemonβwhich includes all users by default unless the allowed-users setting is restrictedβcan exploit this flaw.
The Nix maintainers have introduced a comprehensive set of fixes and hardening measures to close this vector and mitigate future memory-based attacks.
Key security updates include:
- Recursion Limits: NAR directory recursion depth is now strictly limited to 64 levels during both parsing and serialization.
- Memory Protection: Coroutine stacks are now allocated with a guard page to prevent overflows from reaching the heap.
- Input Sanitization: Symlink entries are now checked for invalid contents, and filenames are capped at 255 bytes (matching Linux’s NAME_MAX).
- ASLR Mitigation: The Nix daemon now limits the number of forked worker crashes to 64, making it significantly harder for an attacker to “brute-force” their way past ASLR hardening.
The vulnerability has been present in the codebase since version 2.24.4. Users are strongly encouraged to update their Nix installation to one of the following fixed releases:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
