Executive Summary
A critical vulnerability (CVE-2026-39860, CVSS 9.0) has been disclosed in the Nix package manager that effectively bypasses the previously issued fix for CVE-2024-27297. The flaw allows an attacker to exploit symlink following during fixed-output derivation builds, enabling arbitrary overwrite of files writable by the Nix orchestration process — typically the Nix daemon running as root in multi-user installations.
This is a significant regression in the security posture of Nix environments: organizations that applied the CVE-2024-27297 patch believed they were protected against this class of symlink-based attacks, but the new vulnerability demonstrates that the fix was incomplete.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-39860 |
| CVSS Score | 9.0 (Critical) |
| Related CVE | CVE-2024-27297 (bypassed) |
| CWE | CWE-61 — UNIX Symbolic Link Following |
| Type | Symlink Attack / Arbitrary File Overwrite |
| Attack Vector | Local / Build-time |
| Privileges Required | Low (build process access) |
| User Interaction | None |
| Patch Available | See upstream advisory |
Affected Versions
| Software | Condition | Impact |
|---|---|---|
| Nix (multi-user) | Daemon running as root | Arbitrary file overwrite as root |
| Nix (single-user) | User-level daemon | File overwrite as that user |
Background: CVE-2024-27297
CVE-2024-27297 was a previous vulnerability in Nix that allowed attackers to exploit symlink following during build processes. The patch introduced checks intended to prevent the Nix daemon from following attacker-controlled symlinks when writing output files during fixed-output derivation builds.
CVE-2026-39860 demonstrates that this fix contained a logic flaw that can be bypassed under specific conditions, restoring the original attack surface.
Technical Analysis
Root Cause
The vulnerability lies in Nix's handling of fixed-output derivations — a special class of builds where the output hash is known in advance. During these builds, the Nix daemon writes output to a store path, and the corrective logic from CVE-2024-27297 was intended to prevent symlink traversal during this write process.
The bug in the fix allows an attacker to race or pre-place symlinks such that the Nix daemon resolves them after the security check but before the actual write operation — a classic Time-Of-Check to Time-Of-Use (TOCTOU) vulnerability.
Attack Flow
1. Attacker submits or triggers a fixed-output derivation build
2. Nix daemon performs symlink safety check on target path (CVE-2024-27297 fix)
3. Attacker races to replace or insert a symlink at the target location
after the check but before the write
4. Nix daemon writes output data to the attacker-controlled symlink destination
5. File owned by root (daemon) is overwritten with attacker-supplied content
6. Attacker achieves privilege escalation or persistence via overwritten system fileExploitation Conditions
- Multi-user Nix installation where the daemon runs as root is the highest-risk configuration
- Attacker must be able to trigger a fixed-output derivation build (e.g., via
nix-build, Nix flakes, or NixOS package builds) - A local account with ability to run Nix builds is sufficient
- TOCTOU windows are narrow but automatable
Impact Assessment
| Impact Area | Description |
|---|---|
| Root File Overwrite | Overwrite any file writable by the Nix daemon (typically root-owned system files) |
| Privilege Escalation | Overwrite /etc/passwd, sudoers, or cron files to gain root shell |
| Persistence | Plant backdoors in system binaries or service files |
| Integrity Violation | Corrupt the Nix store or system configuration |
| Supply Chain Risk | In CI/CD pipelines, compromise build outputs for downstream consumers |
Remediation
Step 1: Check Your Nix Installation Mode
# Determine if running in multi-user (daemon) mode
ls -la /nix/var/nix/daemon-socket/
# If this socket exists, you are in multi-user mode
# Check daemon ownership
ps aux | grep nix-daemonStep 2: Apply the Upstream Patch
Monitor the official Nix releases and security advisories for a patched version addressing CVE-2026-39860:
# Update Nix via the official installer (single-user)
nix upgrade-nix
# For NixOS, update your system channel and rebuild
sudo nix-channel --update
sudo nixos-rebuild switch
# Check current Nix version
nix --versionStep 3: Restrict Build Permissions as a Temporary Mitigation
# Limit which users can trigger Nix daemon builds
# Edit /etc/nix/nix.conf to restrict build users
# Add specific users to the trusted-users list
trusted-users = root @wheel
# Disable untrusted builds until patched
# In /etc/nix/nix.conf:
# allowed-users = rootStep 4: Audit for Compromise
# Check recently modified root-owned system files
find /etc /usr/bin /usr/sbin -newer /etc/nixos/configuration.nix -type f 2>/dev/null | head -30
# Review Nix daemon logs
journalctl -u nix-daemon --since "7 days ago" | grep -i "error\|warning\|symlink"
# Check Nix store integrity
nix-store --verify --check-contentsDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected file modifications in /etc or /usr | Possible post-exploitation file overwrite |
| Nix daemon logs showing symlink resolution errors | Exploitation attempts |
| TOCTOU race condition patterns in build logs | Active exploitation |
| Unexplained changes to cron files or sudoers | Privilege escalation attempt |
| Build processes accessing paths outside Nix store | Suspicious derivation behavior |
Post-Remediation Checklist
- Apply the upstream Nix patch for CVE-2026-39860 as soon as it is released
- Restrict trusted-users in
/etc/nix/nix.confto minimize who can trigger daemon builds - Audit system files for unauthorized modifications, particularly in
/etcand/usr - Review build logs for evidence of TOCTOU race patterns or symlink anomalies
- Disable fixed-output derivation builds from untrusted users as a temporary mitigation
- Monitor the Nix security mailing list for patch availability
- Enable file integrity monitoring on critical system paths
- Restrict local user accounts that have access to
nix-buildornix develop