SB20260408153 - Ubuntu update for nix

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260408153

SB20260408153 - Ubuntu update for nix

Published: April 8, 2026

Security Bulletin ID SB20260408153
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Untrusted search path (CVE-ID: CVE-2024-38531)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path during the build process. A local user can place a malicious setuid binary into a globally accessible location and assume the permissions of a Nix daemon worker and hijack all future builds.


2) Improper Certificate Validation (CVE-ID: CVE-2024-47174)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper certificate validation in <nix/fetchurl.nix> when establishing HTTPS connections. A remote attacker can perform a man-in-the-middle attack to disclose sensitive information.

Credentials may be exposed when authentication is supplied through a netrc file or through derivations using impureEnvVars.


3) Improper access control (CVE-ID: CVE-2024-27297)

The vulnerability allows a remote user to modify the output of fixed-output derivations.

The vulnerability exists due to improper access control in fixed-output derivations when sending file descriptors to files in the Nix store to another program via Unix domain sockets in the abstract namespace. A remote user can send file descriptors to another program running on the host to modify the output of fixed-output derivations.

This issue affects Linux systems and can occur after Nix has registered the path as valid and immutable in the Nix database.


4) Path traversal (CVE-ID: CVE-2024-45593)

The vulnerability allows a remote user to write to arbitrary file system locations accessible to the Nix process.

The vulnerability exists due to improper path restriction in NAR unpacking when processing a crafted NAR. A remote user can supply a specially crafted NAR to write to arbitrary file system locations accessible to the Nix process.

When the Nix daemon is used, the file writes occur with root permissions. User interaction is required to unpack the crafted NAR.


Remediation

Install update from vendor's website.

References