If you use Nix or NixOS to manage software on your computer or server, a bug discovered this week means any other user on that machine — an intern, a compromised app, a malicious script — could silently seize total control of your system.
Who Is Affected — and How Many People Are We Talking About?
Nix is a package manager beloved by software developers, system administrators, and DevOps engineers for its reliability and reproducibility. NixOS, the Linux distribution built around it, has seen explosive growth in recent years, with estimates placing active installations in the millions across personal laptops, CI/CD build servers, and cloud infrastructure. A closely related fork called Lix, popular in the open-source community, is also vulnerable.
This isn't just a developer's problem. Companies rely on Nix-managed servers to build and deploy the apps you use every day — from web services to internal tools. If someone exploits this flaw on a shared build server or a multi-user development machine, the consequences can cascade far beyond a single computer.
What Actually Happens: The Story of a Trap Inside a File
To understand this bug, picture Nix's package system like a warehouse. When Nix ships software around, it packs everything into a special container format — a Nix Archive, or NAR file — a bit like a ZIP file but specifically designed for Nix's needs. When your system receives one of these archive files, it unpacks it by reading through the file's structure step by step. The problem is in how Nix reads that structure.
An attacker can craft a malicious NAR file that is nested so deeply — like a Russian doll with ten thousand layers — that the software trying to read it goes into a loop, calling itself over and over without end. In computing, every time a program calls itself like this, it uses a small slice of a special memory region called the stack. When that stack fills up completely and spills over, the program is supposed to crash safely. But here's the dangerous twist: Nix runs this particular code in a special execution context called a coroutine, and that coroutine's stack has no safety barrier around it. The overflow doesn't just crash the program — it silently spills into the adjacent memory heap, potentially overwriting live program data. With the right technique, an attacker can use that overwritten memory to inject and run their own code.
The code being hijacked here isn't just any program. It's the Nix daemon — a background service that, in the default "multi-user" installation mode used by the vast majority of people, runs with full root privileges. Root is the all-powerful administrator account on any Unix-like system. Whoever controls the daemon controls the entire machine: they can read every file, install backdoors, steal credentials, pivot to other systems on the network, or quietly wipe everything clean. By default, every user on the system is permitted to talk to this daemon — meaning the attack surface is as wide as your user list.
The Technical Anchor: Unguarded Coroutine Stack Enables Stack-to-Heap Overflow
For security researchers, the key detail here is the absence of a guard page on the coroutine stack within Nix's NAR parser. Guard pages are a standard OS-level mitigation: a region of memory marked as inaccessible that sits at the boundary of a stack, so that any overflow immediately triggers a hardware fault and kills the process safely before damage is done. Because Nix allocates its coroutine stacks manually without this protection, unbounded recursion in the parser creates a stack-to-heap overflow — a vulnerability class that can be leveraged for arbitrary code execution if Address Space Layout Randomization (ASLR) is bypassed or sufficiently brute-forced. This vulnerability is tracked as CVE-2026-44028 and carries a CVSS score of 7.5 (HIGH).
Real-World Context: Discovered, Not Yet Weaponized — But the Clock Is Ticking
As of publication, no active exploitation has been confirmed in the wild. There are no known victim organizations and no public proof-of-concept exploit code circulating — yet. That window of safety is precious but historically short. Once a CVE with this level of detail is public, experienced researchers and opportunistic attackers typically need only days to build a working exploit, especially when the target (a daemon running as root) is so valuable.
The vulnerability was disclosed through the official Nix security process, and patches were issued promptly by both the Nix and Lix maintainer teams. Security teams monitoring NixOS deployments in enterprise environments or CI/CD pipelines should treat this as a priority patch, not a "get to it eventually" update. Shared build environments — where multiple developers or automated systems connect to the same Nix daemon — are particularly exposed.
What You Should Do Right Now
-
Update immediately to Nix 2.34.7 or later (or Lix 2.95.2 or later).
Runnix upgrade-nixor update via your system's package manager. On NixOS, update yournixpkgschannel and rebuild:sudo nixos-rebuild switch --upgrade. Verify your version withnix --versionand confirm it reads2.34.7or higher before considering yourself protected. -
Audit and restrict who can talk to the Nix daemon.
In your/etc/nix/nix.conf, review theallowed-userssetting. The default is*(everyone). If your setup permits it, restrict this to only the users and service accounts that genuinely need package management access. This won't eliminate the bug but it dramatically reduces the attack surface until you can patch. -
Treat shared build servers and CI/CD agents as critical priority.
Any machine where multiple users or automated pipelines connect to a single Nix daemon is the highest-risk environment. Patch these first, before personal workstations. If you cannot patch immediately, consider temporarily disabling multi-user mode or isolating the daemon behind stricter network or process controls until the patch can be applied.
CVE-2026-44028 affects Nix before version 2.34.7 and Lix before version 2.95.2. Patches are available now from both projects. There is no evidence of active exploitation at the time of publication.