CVE-2024-27297

Name of the Vulnerable Software and Affected Versions Nix versions prior to 2.3.18 Nix versions prior to 2.18.2 Nix versions prior to 2.19.4 Nix versions prior to 2.20.5

Description The issue is related to errors in synchronization when using a shared resource in the Nix package manager for Unix operating systems. Exploitation of this issue may allow a remote attacker to modify the output of packages in the Nix store. This can be achieved by sending file descriptors to files in the Nix store to another program running on the host via Unix domain sockets in the abstract namespace, allowing the modification of the output of fixed-output derivations after Nix has registered the path as valid and immutable in the Nix database.

Recommendations For versions prior to 2.3.18, upgrade to version 2.3.18 or later. For versions prior to 2.18.2, upgrade to version 2.18.2 or later. For versions prior to 2.19.4, upgrade to version 2.19.4 or later. For versions prior to 2.20.5, upgrade to version 2.20.5 or later. As a temporary workaround, consider restricting access to the Nix store to minimize the risk of exploitation. Users can update to the latest version using the command nixos-rebuild switch --flake flake path directory#hostname or nix flake update --extra-experimental-features "nix-command flakes".