Cyber Resilience

CVE-2026-44028

High

Published: 05 May 2026

Published
05 May 2026
Modified
09 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 0.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44028 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Nixos (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-44028 is an unbounded recursion vulnerability in the NAR (Nix Archive) parser affecting Nix versions before 2.34.7 (including backported fixes in 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7, originally introduced in 2.24.4) and Lix versions before 2.95.2 (including 2.94.2 and 2.93.4, originally introduced in 2.93.0). The issue arises when the parser runs on a coroutine stack allocated without a guard page, leading to a stack-to-heap overflow that can corrupt heap memory.

A local attacker with low privileges (PR:L) who can connect to the Nix daemon—configurable via the allowed-users setting and defaulting to all users—can exploit this vulnerability. Exploitation requires high attack complexity (AC:H), such as bypassing ASLR hardening, but can result in arbitrary code execution as the Nix daemon, which runs as root in multi-user installations. The CVSS v3.1 base score is 7.5 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with changed scope.

Advisories recommend upgrading to the fixed versions listed above. Additional details are available in the NixOS Discourse security advisory at https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407, the Nix GitHub security advisory at https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368, and oss-security mailing list announcements at https://www.openwall.com/lists/oss-security/2026/05/04/32 and https://www.openwall.com/lists/oss-security/2026/05/04/33. The vulnerability is associated with CWE-674 (Uncontrolled Recursion).

EU & UK References

Vulnerability details

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without…

more

a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local unbounded recursion leading to stack-to-heap overflow and RCE as root in the Nix daemon directly enables T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23066Shared CWE-674
CVE-2026-34211Shared CWE-674
CVE-2026-3520Shared CWE-674
CVE-2026-33508Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2025-1492Shared CWE-674
CVE-2026-32141Shared CWE-674
CVE-2007-1285Shared CWE-674
CVE-2026-44289Shared CWE-674
CVE-2026-32944Shared CWE-674

Affected Assets

Nixos
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor-supplied patches that eliminate the unbounded recursion flaw in the NAR parser.

prevent

Mandates validation and sanity checks on untrusted NAR input to block the uncontrolled recursion that triggers the stack-to-heap overflow.

prevent

Enforces the allowed-users restriction so that only explicitly authorized principals can submit archives to the root-owned Nix daemon.

References