Critical Local Privilege Escalation Vulnerability in Nix Package Manager

Severity: High (Score: 72.0)

Sources: Linuxsecurity

Summary

On May 14, 2026, Fedora released a critical patch for the Nix package manager version 2.31.5, addressing a high-severity local privilege escalation vulnerability identified as GHSA-vh5x-56v6-4368. This vulnerability allows non-root users to escalate their privileges, potentially compromising system integrity. The update affects Fedora 42 and 43 users who utilize the Nix package manager. The patch was released following an advisory from the Fedora Project, urging users to upgrade immediately to mitigate potential exploitation. The vulnerability has been classified as high severity due to its potential impact on system security. Users are advised to apply the update using the 'dnf' package manager. The vulnerability was first disclosed on May 5, 2026, and has been confirmed by the Fedora security team. The situation remains critical as users are encouraged to ensure their systems are updated promptly. Key Points: • A critical local privilege escalation vulnerability in Nix affects Fedora 42 and 43. • The vulnerability allows non-root users to gain elevated privileges on the system. • Users are urged to upgrade to Nix version 2.31.5 to mitigate the risk.

Key Entities

• Privilege Escalation (attack_type)
• CWE-269 - Improper Privilege Management (cwe)
• readme.fedora.md (domain)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• Linux (platform)