TL;DR: If you are using a multi-user Nix installation — update immediately to patched versions:
2.34.5,2.33.4,2.32.7,2.31.4,2.30.4,2.29.3,2.28.6.
Check your Nix version withnix --version.
Restrict access to the Nix daemon viaallowed-users, and consider migrating to Tvix in the long term.
🚨 What Happened?
On April 7, 2026, details of a critical vulnerability CVE-2026-39860 (GHSA-g3g9-5vj6-r3gj) were published for the Nix package manager.
Technical Details
The vulnerability occurs during output registration of fixed-output derivations (FOD):
- A temporary output file was created inside the build chroot environment.
- An attacker could create a symbolic link at that path, pointing to an arbitrary location in the filesystem.
- When copying the build result, the Nix process (running in the host namespace, typically as root) would follow the symlink and overwrite the target file.
Thus, an attacker could theoretically overwrite any file accessible to the Nix daemon. Since the Nix daemon most often runs as root, an attacker effectively gains root access to the system.
🛡️ How to Reduce the Attack Surface Right Now
If you cannot update immediately, apply the following mitigations:
1. Restrict Access to the Nix Daemon
# /etc/nix/nix.conf or configuration.nix
nix.settings.allowed-users = [ "@wheel" "@nix-users" ];By default, all users can connect to the Nix daemon. This is the first attack vector.
2. Verify trusted-users
nix.settings.trusted-users = [ "root" "@wheel" ]; # Explicitly specify trusted usersThese users can specify caches, override binary substitutes, and bypass certain checks.
By default, this list is empty, but it is still worth double-checking.
3. Enable the Sandbox
nix.settings.sandbox = true;Important: The Nix sandbox is designed for reproducibility, not security. It uses chroot, namespaces, and bind mounts, but is not intended for system call isolation. Attacks like double chroot escape are theoretically possible.
🤔 Why Wasn’t Nix Built for Security?
This is important context that is often overlooked when criticizing Nix.
Nix is an experiment. Its original hypothesis: “Is it possible to create a fully functional package manager based on a purely functional build description language?”
The experiment succeeded: the hypothesis was confirmed, and we gained reproducible builds, declarative configuration, and a powerful dependency model.
But success comes at a cost:
| Development Priority | Consequence |
|---|---|
| Functionality & reproducibility | Security becomes a “second-tier” concern |
| Cross-platform support (all Unix) | Inability to fully leverage Linux-specific isolation mechanisms (LandLock, seccomp-bpf) |
| Ease of system integration | Daemon runs as root, increasing attack surface |
| Build performance | Rejection of “heavy” isolation mechanisms (KVM, gVisor) |
The Nix sandbox is a tool for dependency isolation, not for isolation from malicious code. This is a fundamental distinction every Nix user should understand.
🦊 Tvix: A Ground-Up Reimagining
Tvix is a re-implementation of Nix in Rust, designed to eliminate architectural limitations of the original that accumulated for historical reasons.
What Does Tvix Change?
- Memory safety thanks to Rust
- Modular architecture: evaluator, protocol implementation, and client are separate components
- Potential for improved isolation: easier integration of modern LSMs, seccomp, LandLock
- Performance: parallel evaluator, caching, no C++ overhead
Current Status
- ✅ Supports ~80% of packages from nixpkgs
- ✅ Used in devenv.sh for expression evaluation
- 🚧 Full nixpkgs compatibility is a goal, not yet reality
- 🚧 Not recommended for production without thorough testing
CVE-2026-39860 is not a bug — it’s a feature of the architecture. Vulnerabilities like this arise not from a “typo in the code”, but from fundamental trade-offs made 20 years ago. The longer we maintain the legacy codebase, the costlier each fix becomes.
Additionally, the Tvix developers are part of the TVL team. Their distributed team includes members working from Moscow, Saint Petersburg, and other regional offices. It is worth noting that talented engineers from Russia continue to make significant contributions to global open-source infrastructure — a source of pride for the local technical community.
P.S. One of the lead developers also has a talk about Tvix. Highly recommended for those interested in the internals.