CVE-2024-38531
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-38531
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38531.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-38531
- Aliases
-
- GHSA-q82p-44mg-mgh5
- Downstream
- Published
- 2024-06-28T13:18:58Z
- Modified
- 2025-10-14T16:49:06.440921Z
- Severity
-
- 3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Nix sandbox escape
- Details
-
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
- References
Affected packages
Git / github.com/NixOS/nix
Affected ranges
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events
- Type
- GIT
- Repo
- https://github.com/NixOS/nix
- Events