2.9
CVE-2025-46416
- EPSS 0.16%
- Veröffentlicht 27.06.2025 00:00:00
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerNixOS
≫
Produkt
Nix
Default Statusunknown
Version <=
2.24.15
Version
0
Status
affected
Version <=
2.26.4
Version
2.25.0
Status
affected
Version <=
2.28.4
Version
2.27.0
Status
affected
Version <=
2.29.1
Version
2.29.0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.052 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 2.9 | 1.4 | 1.4 |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-282 Improper Ownership Management
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/
https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017
https://lix.systems/blog/2025-06-24-lix-cves/
https://labs.snyk.io
https://security.snyk.io/vuln/?search=CVE-2025-46416
https://security-tracker.debian.org/tracker/CVE-2025-46416