PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44028 Discourse CVE debrief

CVE-2026-44028 was publicly disclosed on 2026-05-05 and updated on 2026-05-09. The issue affects Nix and Lix and centers on unbounded recursion in the NAR (Nix Archive) parser. In the affected code path, a stack overflow on a coroutine stack without a guard page can corrupt heap memory, which may lead to arbitrary code execution as the Nix daemon runs as root in multi-user deployments if ASLR hardening is bypassed. The CVE is rated HIGH (CVSS 7.5), but the attack is local and requires the ability to connect to the daemon.

Vendor
Discourse
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-09
Advisory published
2026-05-05
Advisory updated
2026-05-09

Who should care

Administrators and security teams running multi-user Nix or Lix installations, especially hosts where untrusted local users may be allowed to connect to the daemon.

Technical summary

NVD describes the flaw as unbounded recursion in the NAR parser, classified as CWE-674. The parser can overflow a coroutine stack that is allocated without a guard page, turning a stack overflow into a stack-to-heap overflow that may corrupt adjacent heap memory. NVD assigns CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, reflecting that exploitation is local, requires some privileges, and has the potential for high confidentiality and integrity impact. The affected ranges called out in the advisory are Nix before 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.4), and Lix before 2.95.2, 2.94.2, and 2.93.4 (introduced in 2.93.0).

Defensive priority

High: patch promptly, with priority on shared or multi-user systems where local users can reach the daemon.

Recommended defensive actions

  • Upgrade Nix to a fixed release: 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7, depending on the branch in use.
  • Upgrade Lix to a fixed release: 2.95.2, 2.94.2, or 2.93.4, depending on the branch in use.
  • Review daemon access controls, including the allowed-users setting, and restrict access to trusted users only.
  • Prioritize remediation on multi-user hosts and any environment where local users can connect to the Nix daemon.
  • After upgrading, verify the daemon starts cleanly and investigate any unexpected crashes or memory-corruption symptoms.

Evidence notes

This debrief is based only on the supplied CVE record and its linked official references. The NVD snapshot is dated 2026-05-05 and modified 2026-05-09, and it describes the flaw as an unbounded-recursion parser bug that can become a stack-to-heap overflow on coroutine stacks without guard pages. The record also provides the CVSS vector, CWE-674 mapping, affected version ranges, and references to the NixOS advisory, GitHub Security Advisory, Lix blog advisory, and oss-security announcements. NVD marks the vulnerability status as Deferred in the supplied snapshot.

Official resources

Publicly disclosed on 2026-05-05 and updated on 2026-05-09. The supplied NVD snapshot marks the record as Deferred and links to the NixOS, GitHub, Lix, and oss-security advisories.