An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.93.0"
},
{
"fixed": "2.93.4"
},
{
"introduced": "2.94.0"
},
{
"fixed": "2.94.2"
},
{
"introduced": "2.95.0"
},
{
"fixed": "2.95.2"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44028.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-674"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.24.4"
},
{
"fixed": "2.28.7"
},
{
"introduced": "2.29.0"
},
{
"fixed": "2.29.4"
},
{
"introduced": "2.30.0"
},
{
"fixed": "2.30.5"
},
{
"introduced": "2.31.0"
},
{
"fixed": "2.31.5"
},
{
"introduced": "2.32.0"
},
{
"fixed": "2.32.8"
},
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.6"
},
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.7"
}
]
}