The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
History

Fri, 27 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Weaknesses CWE-282
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-06-27T00:00:00.000Z

Updated: 2025-06-27T15:49:08.285Z

Reserved: 2025-04-24T00:00:00.000Z

Link: CVE-2025-46416

cve-icon Vulnrichment

Updated: 2025-06-27T15:49:03.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-27T14:15:38.163

Modified: 2025-06-30T18:38:48.477

Link: CVE-2025-46416

cve-icon Redhat

No data.