CVE-2026-44028

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).

*Credits: N/A

CVSS Scores

MITREv3.1 7.5

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2026-05-05 CVE Reserved
2026-05-05 CVE Published
2026-05-09 CVE Updated
2026-05-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-674: Uncontrolled Recursion

CAPEC

References (5)

URL	Tag	Source
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368
https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow
https://www.openwall.com/lists/oss-security/2026/05/04/32
https://www.openwall.com/lists/oss-security/2026/05/04/33

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.24.4 < 2.28.7 Search vendor "NixOS" for product "Nix" and version " >= 2.24.4 < 2.28.7"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.29.0 < 2.29.4 Search vendor "NixOS" for product "Nix" and version " >= 2.29.0 < 2.29.4"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.30.0 < 2.30.5 Search vendor "NixOS" for product "Nix" and version " >= 2.30.0 < 2.30.5"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.31.0 < 2.31.5 Search vendor "NixOS" for product "Nix" and version " >= 2.31.0 < 2.31.5"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.32.0 < 2.32.8 Search vendor "NixOS" for product "Nix" and version " >= 2.32.0 < 2.32.8"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.33.0 < 2.33.6 Search vendor "NixOS" for product "Nix" and version " >= 2.33.0 < 2.33.6"		en		Affected
NixOS Search vendor "NixOS"		Nix Search vendor "NixOS" for product "Nix"				>= 2.34.0 < 2.34.7 Search vendor "NixOS" for product "Nix" and version " >= 2.34.0 < 2.34.7"		en		Affected
Lix Project Search vendor "Lix Project"		Lix Search vendor "Lix Project" for product "Lix"				>= 2.93.0 < 2.93.4 Search vendor "Lix Project" for product "Lix" and version " >= 2.93.0 < 2.93.4"		en		Affected
Lix Project Search vendor "Lix Project"		Lix Search vendor "Lix Project" for product "Lix"				>= 2.94.0 < 2.94.2 Search vendor "Lix Project" for product "Lix" and version " >= 2.94.0 < 2.94.2"		en		Affected
Lix Project Search vendor "Lix Project"		Lix Search vendor "Lix Project" for product "Lix"				>= 2.95.0 < 2.95.2 Search vendor "Lix Project" for product "Lix" and version " >= 2.95.0 < 2.95.2"		en		Affected