A privilege escalation vulnerability (CVE-2026-39860) in the Nix daemon allows any user with build submission rights to achieve arbitrary file writes as root. The issue affects Nix versions 2.21+ through 2.34.4 and earlier patched versions, impacting NixOS and multi-user installations on Linux. Patches are now available for all affected versions.
Infrastructure
Nix security advisory: Privilege escalation via symlink following during FOD output registration
Nix daemon privilege escalation (CVE-2026-39860) allows any user with build rights to write arbitrary files as root on NixOS and multi-user Linux systems running versions 2.21–2.34.4.
Tuesday, April 7, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
infrastructure