CVE-2026-44028 Overview
CVE-2026-44028 is a stack-to-heap overflow vulnerability in the Nix Archive (NAR) parser used by Nix and Lix package managers. Unbounded recursion during NAR parsing exhausts a coroutine stack that is allocated without a guard page. Stack frames then overwrite adjacent heap memory, creating a path to arbitrary code execution as the Nix daemon, which runs as root in multi-user installations. Any user permitted to connect to the daemon can trigger the flaw. The default allowed-users setting grants this access to all local users. The issue is tracked as CWE-674: Uncontrolled Recursion.
Critical Impact
Local users who can reach the Nix daemon can corrupt heap memory and, by bypassing ASLR, execute arbitrary code as root on multi-user Nix and Lix installations.
Affected Products
- Nix versions 2.24.4 through 2.34.6 (and matching releases on the 2.28–2.33 branches)
- Lix versions 2.93.0 through 2.95.1 (including 2.93.x and 2.94.x branches)
- Multi-user NixOS installations where the Nix daemon runs as root
Discovery Timeline
- 2026-05-05 - CVE-2026-44028 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-44028
Vulnerability Analysis
The vulnerability resides in the NAR parser, which deserializes the Nix Archive format used to transfer store paths. The parser handles nested structures using recursive function calls. There is no depth limit, so an attacker-supplied NAR with deeply nested entries causes recursion to grow without bound.
The parser executes on a coroutine stack rather than the main thread stack. Coroutine stacks in this implementation are heap-allocated and lack a guard page. When recursion exhausts the stack, writes do not trigger a fault. They instead spill into adjacent heap allocations, corrupting in-flight objects controlled by the daemon process. This converts a classic stack overflow into a heap corruption primitive.
Exploitation requires bypassing Address Space Layout Randomization (ASLR) to reliably control the corrupted heap region. The local attack vector and high attack complexity reflect this requirement. Successful exploitation grants code execution in the privilege context of the Nix daemon, which is root on multi-user installations.
Root Cause
The root cause is uncontrolled recursion combined with an unguarded coroutine stack. The NAR parser does not enforce a maximum nesting depth. The coroutine runtime allocates stacks from the heap without inserting a guard page between the stack and neighboring heap chunks.
Attack Vector
An authenticated local user connects to the Nix daemon socket and submits a crafted NAR archive. The daemon parses the archive on a coroutine, recursion overflows the stack, and the overflow rewrites heap data structures owned by the daemon. The default allowed-users = * configuration in nix.conf exposes the daemon to every local account on the system. Refer to the GitHub Security Advisory GHSA-vh5x-56v6-4368 for further technical detail.
Detection Methods for CVE-2026-44028
Indicators of Compromise
- Unexpected crashes, segmentation faults, or aborts of the nix-daemon process recorded in journalctl -u nix-daemon
- Anomalous child processes spawned by nix-daemon that do not match normal build activity
- Connections to /nix/var/nix/daemon-socket/socket from user accounts that do not normally invoke Nix
Detection Strategies
- Monitor nix-daemon process integrity and alert on unexpected exits, core dumps, or memory protection faults
- Audit submissions of NAR archives with abnormally deep nesting or oversized structural metadata
- Track privilege transitions where a non-root user interaction with the daemon precedes a root-context process spawn
Monitoring Recommendations
- Enable Linux audit rules on /nix/var/nix/daemon-socket/socket to log connecting UIDs and process lineage
- Forward nix-daemon systemd journal output to a central SIEM for retention and correlation
- Review the allowed-users and trusted-users directives in /etc/nix/nix.conf and alert on any expansion of these lists
How to Mitigate CVE-2026-44028
Immediate Actions Required
- Upgrade Nix to 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7 depending on the deployed branch
- Upgrade Lix to 2.95.2, 2.94.2, or 2.93.4 depending on the deployed branch
- Restrict the allowed-users setting in nix.conf to a minimal list of trusted accounts until patches are applied
- Audit existing systems for unauthorized changes to /etc/nix/nix.conf and the daemon binary
Patch Information
The Nix and Lix maintainers released fixed versions on May 4, 2026. Apply the upgrade matching your release branch. See the NixOS Security Advisory and the OpenWall oss-security disclosure for the full patch matrix.
Workarounds
- Set allowed-users to a curated list of administrative accounts to limit who can reach the daemon
- Disable or stop the nix-daemon service on systems that do not require multi-user Nix functionality
- Switch affected hosts to single-user Nix installations where the daemon does not run as root
# Configuration example
# /etc/nix/nix.conf - restrict daemon access until patched
allowed-users = @nix-users
trusted-users = root
# Verify installed version meets the fixed release
nix --version
# Expected: nix (Nix) 2.34.7 or later patched branch release
# Restart the daemon after upgrade
sudo systemctl restart nix-daemon
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
