Browse all 26 CVE security advisories affecting NixOS. AI-powered Chinese analysis, POCs, and references for each vulnerability.
NixOS is a Linux distribution distinguished by its declarative configuration model and reproducible builds, primarily serving developers and system administrators seeking infrastructure stability. Its unique package management system isolates software environments, which inherently reduces dependency conflicts but introduces complexity in security auditing. Historically, vulnerabilities within the Nix ecosystem have frequently involved privilege escalation and remote code execution, often stemming from improper handling of user-supplied data in configuration files or build scripts. With 26 recorded CVEs, these flaws typically affect the package manager itself or specific packages built within the Nix store rather than the core kernel. Notable incidents have highlighted risks related to insecure temporary file creation and race conditions during package installation. While the architecture promotes integrity through cryptographic hashing, the steep learning curve can lead to misconfigurations that expose systems to unauthorized access or data leakage if not strictly managed.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-25740 | Privilege escalation to the `CAP_NET_RAW` capability via the `programs.captive-browser` NixOS module — nixpkgsCWE-250 | 8.8AI | HighAI | 2026-02-09 |
| CVE-2026-25137 | NixOs Odoo database and filestore publicly accessible with default odoo configuration — nixpkgsCWE-552 | 9.1 | Critical | 2026-02-02 |
| CVE-2026-23838 | Tandoor Recipes module allows SQLite database to be externally accessible with the default settings — nixpkgsCWE-538 | 7.5AI | HighAI | 2026-01-19 |
| CVE-2025-64766 | NixOS has hardcoded credentials in Onlyoffice module — nixpkgsCWE-798 | 5.3 | Medium | 2025-11-17 |
| CVE-2025-32438 | Local privilege escalation in make-initrd-ng — nixpkgsCWE-378 | 8.8 | High | 2025-04-15 |
This page lists every published CVE security advisory associated with NixOS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.