A critical integer overflow vulnerability (CVE-2026-44028) has been discovered in Lix, potentially allowing attackers to achieve out-of-bounds writes. The issue, which affects multiple Lix versions, can be exploited through specially crafted NAR archives, though successful exploitation requires defeating ASLR. Patched versions (Lix ≥ 2.93.4, ≥ 2.94.2, ≥ 2.95.2) have been released, and users are strongly advised to update immediately.
Background
Lix is a fork of the Nix package manager, focused on improving the user experience and maintaining compatibility with the Nix ecosystem. Integer overflow vulnerabilities in package managers can lead to serious security breaches as they handle untrusted inputs during package operations.
- Source
- Lobsters
- Published
- May 6, 2026 at 12:44 AM
- Score
- 8.0 / 10