CVE Tools
Sign in

CVE-2026-39860

Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination

Published: Apr 8, 2026Updated: Apr 15, 2026 Sources: CVE List NVD BDUCWE-61
NVD MITRE
9.0CVSSCRITICAL
EPSS Score
0.2%
Top 90.9%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents. In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files. This vulnerability is fixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.

CVSS Vector Breakdown

AV:LAC:LPR:NUI:NS:CC:HI:HA:N
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-61

Affected Products

nixNixOS
On-prem
Operating Systems / linux-distro
Debian GNU/LinuxСообщество свободного программного обеспечения
On-premOS
Operating Systems / linux-distro
NixСообщество свободного программного обеспечения
On-prem
Operating Systems / linux-distro
nixnixos
On-prem
Operating Systems / linux-distro
nixososs-projectOperating Systems
сообщество свободного программного обеспеченияoss-projectOperating Systemsaka сообщество свободного программного обеспечения, fsf

Exploitability

Official Patch Available
Workaround Available

References

https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj
github.com
https://github.com/NixOS/nix/pull/10178
github.com
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
github.com
and 5 more references View all →

Timeline

Published
Apr 8, 2026
Last Updated
Apr 15, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-39860 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows