CVE-2026-44028

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44028.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.93.0"
                },
                {
                    "fixed": "2.93.4"
                },
                {
                    "introduced": "2.94.0"
                },
                {
                    "fixed": "2.94.2"
                },
                {
                    "introduced": "2.95.0"
                },
                {
                    "fixed": "2.95.2"
                }
            ]
        }
    ],
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-674"
    ]
}

References

Affected packages

Git / github.com/nixos/nix

Affected ranges

Type: GIT
Repo: https://github.com/nixos/nix
Events: Introduced

8e6cda649a12964370addcdf68907b66661c3265

Fixed

2c6d06e9387cf58167cb5a7ab91cee7333d8d17c

Affected versions

2.*

2.34.0

2.34.1

2.34.2

2.34.3

2.34.4

2.34.5

2.34.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44028.json"