CVE-2024-27297Time-of-check Time-of-use (TOCTOU) Race Condition in NIX

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition10 documents6 sources
Severity
9.0CRITICALNVD
NVD5.9OSV5.9
EPSS
0.1%
top 84.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
GNU GuixNixos NIXDebian Guix+1 more
Timeline
PublishedApr 8

Description

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the bui

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.5 | Impact: 5.8

Affected Packages7 packages

NVDnixos/nix2.42.18.2+3
debiandebian/nix< guix 1.2.0-4+deb11u2 (bullseye)+1
debiandebian/guix< guix 1.2.0-4+deb11u2 (bullseye)
Debiangnu/guix< 1.2.0-4+deb11u2
Debiannixos/nix< 2.22.1+dfsg-1+1

🔴Vulnerability Details

3
OSV
CVE-2026-39860: Nix is a package manager for Linux and other Unix systems2026-04-08
OSV
nix vulnerabilities2025-07-14
OSV
CVE-2024-27297: Nix is a package manager for Linux and other Unix systems2024-03-11

📋Vendor Advisories

3
Debian
CVE-2026-39860: nix - Nix is a package manager for Linux and other Unix systems. A bug in the fix for ...2026
Ubuntu
Nix vulnerabilities2025-07-14
Debian
CVE-2024-27297: guix - Nix is a package manager for Linux and other Unix systems. A fixed-output deriva...2024

🕵️Threat Intelligence

1
Wiz
CVE-2026-39860 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-39860 nix: privilege escalation via symlink following during output registration2026-04-08
CVE-2024-27297 — Nixos NIX vulnerability | cvebase