CVE-2026-44028
Published: 05 May 2026
Summary
CVE-2026-44028 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Nixos (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-44028 is an unbounded recursion vulnerability in the NAR (Nix Archive) parser affecting Nix versions before 2.34.7 (including backported fixes in 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7, originally introduced in 2.24.4) and Lix versions before 2.95.2 (including 2.94.2 and 2.93.4, originally introduced in 2.93.0). The issue arises when the parser runs on a coroutine stack allocated without a guard page, leading to a stack-to-heap overflow that can corrupt heap memory.
A local attacker with low privileges (PR:L) who can connect to the Nix daemon—configurable via the allowed-users setting and defaulting to all users—can exploit this vulnerability. Exploitation requires high attack complexity (AC:H), such as bypassing ASLR hardening, but can result in arbitrary code execution as the Nix daemon, which runs as root in multi-user installations. The CVSS v3.1 base score is 7.5 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with changed scope.
Advisories recommend upgrading to the fixed versions listed above. Additional details are available in the NixOS Discourse security advisory at https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407, the Nix GitHub security advisory at https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368, and oss-security mailing list announcements at https://www.openwall.com/lists/oss-security/2026/05/04/32 and https://www.openwall.com/lists/oss-security/2026/05/04/33. The vulnerability is associated with CWE-674 (Uncontrolled Recursion).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27163
Vulnerability details
An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without…
more
a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local unbounded recursion leading to stack-to-heap overflow and RCE as root in the Nix daemon directly enables T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor-supplied patches that eliminate the unbounded recursion flaw in the NAR parser.
Mandates validation and sanity checks on untrusted NAR input to block the uncontrolled recursion that triggers the stack-to-heap overflow.
Enforces the allowed-users restriction so that only explicitly authorized principals can submit archives to the root-owned Nix daemon.