CVE-2024-38531
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-38531
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38531.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-38531
- Aliases
-
- GHSA-q82p-44mg-mgh5
- Downstream
- Published
- 2024-06-28T13:18:58.604Z
- Modified
- 2025-11-30T18:53:42.368947Z
- Severity
-
- 3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Nix sandbox escape
- Details
-
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38531.json", "cwe_ids": [ "CWE-278" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/nixos/nix
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nixos/nix
- Events
- Database specific
{ "versions": [ { "introduced": "2.23.0" }, { "fixed": "2.23.1" } ] }
- Type
- GIT
- Repo
- https://github.com/nixos/nix
- Events
- Database specific
{ "versions": [ { "introduced": "2.22.0" }, { "fixed": "2.22.2" } ] }
- Type
- GIT
- Repo
- https://github.com/nixos/nix
- Events
- Database specific
{ "versions": [ { "introduced": "2.21.0" }, { "fixed": "2.21.3" } ] }
- Type
- GIT
- Repo
- https://github.com/nixos/nix
- Events
- Database specific
{ "versions": [ { "introduced": "2.20.0" }, { "fixed": "2.20.7" } ] }