Back

Critical Privilege Escalation Flaw in Nix Package Manager Fixed in Fedora 43

Severity: High (Score: 72.8)

Sources: Linuxsecurity

Summary

A serious privilege escalation vulnerability (CVE-2026-39860) was discovered in the Nix package manager, affecting users of Fedora 43 and earlier versions. The flaw allows non-root users to escalate their privileges via symlink following during output registration. This vulnerability was published on April 8, 2026, and has been addressed in the latest update to Nix version 2.31.4. Users are advised to upgrade their systems using the 'dnf' update program to mitigate the risk. The update includes improvements and fixes related to the nix-daemon. The vulnerability poses a significant risk as it can potentially allow unauthorized access to critical system functions. Affected systems include Fedora 42 and 43, as well as other Unix-like systems that utilize Nix. The urgency of the update is underscored by the critical nature of the flaw. Key Points: • CVE-2026-39860 allows privilege escalation for non-root users in Nix package manager. • The vulnerability affects Fedora 42 and 43, requiring immediate updates to version 2.31.4. • Users should apply the patch using 'dnf upgrade --advisory FEDORA-2026-6c1a1c78c1' to mitigate risks.

Key Entities

  • CVE-2026-39860 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • readme.fedora.md (domain)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • Linux (platform)
  • Unix (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed