Cyber Posture

CVE-2026-44028

High

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 0.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without…

more

a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CP-7 Alternate Processing Site
addresses: CWE-674

Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.

SC-5 Denial-of-service Protection
addresses: CWE-674

Prevents uncontrolled recursion that exhausts stack or CPU resources.

Security SummaryAI

CVE-2026-44028 is an unbounded recursion vulnerability in the NAR (Nix Archive) parser affecting Nix versions before 2.34.7 (including backported fixes in 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7, originally introduced in 2.24.4) and Lix versions before 2.95.2 (including 2.94.2 and 2.93.4, originally introduced in 2.93.0). The issue arises when the parser runs on a coroutine stack allocated without a guard page, leading to a stack-to-heap overflow that can corrupt heap memory.

A local attacker with low privileges (PR:L) who can connect to the Nix daemon—configurable via the allowed-users setting and defaulting to all users—can exploit this vulnerability. Exploitation requires high attack complexity (AC:H), such as bypassing ASLR hardening, but can result in arbitrary code execution as the Nix daemon, which runs as root in multi-user installations. The CVSS v3.1 base score is 7.5 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with changed scope.

Advisories recommend upgrading to the fixed versions listed above. Additional details are available in the NixOS Discourse security advisory at https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407, the Nix GitHub security advisory at https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368, and oss-security mailing list announcements at https://www.openwall.com/lists/oss-security/2026/05/04/32 and https://www.openwall.com/lists/oss-security/2026/05/04/33. The vulnerability is associated with CWE-674 (Uncontrolled Recursion).

Details

CWE(s)
CWE-674

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local unbounded recursion leading to stack-to-heap overflow and RCE as root in the Nix daemon directly enables T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References