cbcvebase.
CVE-2025-32438
published 2025-04-15

CVE-2025-32438: make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable…

PriorityP344high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
0.15%
4.8th percentile
make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is able to create a program that will be executed by root during shutdown. Patches exist for NixOS 24.11 and 25.05 / unstable. As a workaround, set systemd.shutdownRamfs.enable = false;.

Affected

2 ranges
VendorProductVersion rangeFixed in
nixosnixpkgs< b17590193d8e5697000c23c66afcf11e1753734db17590193d8e5697000c23c66afcf11e1753734d
nixosnixpkgs< fbf76bf72b161b9f4ab97704a8258776d5f3ffbafbf76bf72b161b9f4ab97704a8258776d5f3ffba
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.