#VU125379 UNIX Symbolic Link (Symlink) Following in nix - CVE-2026-39860
Published: April 8, 2026 / Updated: April 9, 2026
Vulnerability identifier: #VU125379
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-39860
CWE-ID: CWE-61
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
nix
nix
Software vendor:
nixos.org
nixos.org
Description
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to unix symbolic link following in fixed-output derivation output registration when copying temporary fixed-output derivation outputs from the build chroot. A remote attacker can create a symlink at the temporary output path to overwrite arbitrary writable files and escalate privileges.
This affects sandboxed Linux builds, while sandboxed macOS builds are unaffected.
Remediation
Install security update from vendor's website.