CVE-2026-44028: Nix/Lix Unbounded Recursion Leads to RCE as Root

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-674
CVE-2026-44028: Nix/Lix Unbounded Recursion Leads to RCE as Root

The National Vulnerability Database (NVD) has detailed CVE-2026-44028, a critical vulnerability impacting Nix before version 2.34.7 and Lix before 2.95.2. This flaw stems from unbounded recursion within the NAR (Nix Archive) parser, which can trigger a stack-to-heap overflow. Crucially, the stack is allocated without a guard page, creating a direct path for memory corruption on the heap.

Attackers can leverage this to achieve arbitrary code execution as the Nix daemon, which commonly runs with root privileges in multi-user installations. This is a local privilege escalation scenario, exploitable by any user capable of connecting to the daemon, a setting often defaulting to all users in Nix environments. Bypassing ASLR hardening is a prerequisite for successful exploitation, but that’s a hurdle, not a blocker, for determined adversaries.

The NVD notes that Nix versions 2.24.4 through 2.34.6 are affected, with specific fixes available in 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7. For Lix, versions 2.93.0 through 2.95.1 are vulnerable, with fixes in 2.95.2, 2.94.2, and 2.93.4. The CVSSv3.1 score is a high 7.5, reflecting the significant impact on confidentiality and integrity, with a low attack complexity once local access is achieved.

What This Means For You

  • If your organization uses Nix or Lix in multi-user configurations, this vulnerability is a direct path to root-level compromise for any local user. You need to immediately identify all instances running affected versions. Prioritize patching to the specified fixed versions to prevent local privilege escalation. This isn't theoretical; it's a critical architectural weakness that an attacker will exploit once they gain a foothold.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1218.004 System Binary Proxy Execution: Signed Binary Proxy Execution Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Privilege Escalation

CVE-2026-44028: Nix/Lix Unbounded Recursion in NAR Parser

Sigma YAML — free preview 
title: CVE-2026-44028: Nix/Lix Unbounded Recursion in NAR Parser
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
  Detects the execution of Nix or Lix daemons with command-line arguments that suggest processing a NAR file, which is the vector for CVE-2026-44028. This vulnerability exploits unbounded recursion in the NAR parser, potentially leading to RCE as root.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44028/
tags:
  - attack.privilege_escalation
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'nix-daemon'
          - 'lix-daemon'
      CommandLine|contains:
          - '--nar'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44028 RCE Nix before 2.34.7 (introduced in 2.24.4)
CVE-2026-44028 RCE Lix before 2.95.2 (introduced in 2.93.0)
CVE-2026-44028 Privilege Escalation Unbounded recursion in NAR (Nix Archive) parser leading to stack-to-heap overflow
CVE-2026-44028 Memory Corruption Stack overflow overwriting memory on the heap due to lack of guard page

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 04:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

MoreConvert Pro WordPress Plugin Critical Authentication Bypass (CVE-2026-5722)

CVE-2026-5722 — The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to...

vulnerabilityCVEcriticalhigh-severityauthentication-bypasscwe-287
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-44029 — Path Traversal

CVE-2026-44029 — An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory...

vulnerabilityCVEmedium-severitypath-traversalcwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

Axle-Bucamp MCP-Docusaurus Path Traversal (CVE-2026-7788) Public Exploit

CVE-2026-7788 — A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py....

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma