CVE-2026-39860
Published: 08 April 2026
Summary
CVE-2026-39860 is a critical-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Nixos Nix. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the symlink following vulnerability by requiring timely patching of Nix to fixed versions that prevent arbitrary file overwrites during fixed-output derivation registration.
Enforces secure configuration settings for the Nix daemon, such as restricting the allowed-users parameter to trusted users only, preventing untrusted local users from submitting malicious builds.
Limits the Nix daemon to least functionality by prohibiting or restricting unnecessary capabilities like build submissions from all users, reducing the potential for symlink-based privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink following in Nix allows arbitrary file overwrites by unprivileged users submitting builds, directly enabling root privilege escalation via exploitation of the package manager.
NVD Description
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in…
more
multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
Deeper analysisAI
CVE-2026-39860 is a symlink following vulnerability (CWE-61) in the Nix package manager for Linux and other Unix systems, stemming from a bug in the fix for CVE-2024-27297. It affects sandboxed Linux builds during fixed-output derivation output registration, where the temporary output path resides inside the build chroot. A malicious derivation builder can create a symlink at that path pointing to an arbitrary filesystem location writable by the Nix process, typically the root-owned Nix daemon in multi-user installations. Sandboxed macOS builds are unaffected. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
Any local user able to submit builds to the Nix daemon—who, by default, includes all users in multi-user setups—can exploit this to achieve arbitrary file overwrites. By crafting a fixed-output derivation that places a symlink in the chrooted temporary output directory, the attacker tricks the host Nix process (operating outside the chroot in the host mount namespace) into following the symlink during output registration. This copies the derivation's output contents to the targeted location, enabling modification of sensitive root-writable files and potential root privilege escalation.
Mitigation requires updating to a patched Nix version: 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, or 2.28.6. Relevant patches are available in NixOS/nix GitHub commits such as 244f3eee0bbc7f11e9b383a15ed7368e2c4becc9, 4bc5a3510fa3735798f9ed3a2a30a3ea7b32343a, 7794354a982449927ee7401cdeb573ddd16c4688, and a3163b9eabb952b4aa96e376dea95ebcca97b31a, along with pull request 10178.
Details
- CWE(s)