Nixpkgs security tracker

Untriaged

Permalink CVE-2026-6068

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

CVE-2026-6068

NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or unexpected behavior.

References

https://github.com/netwide-assembler/nasm/issues/222

Affected products

NASM

==nasm-3.02rc5

Matching in nixpkgs

pkgs.nasm

80x86 and x86-64 assembler designed for portability and modularity

nixos-unstable 3.01
- nixpkgs-unstable 3.01
- nixos-unstable-small 3.01
nixos-25.11 2.16.03
- nixos-25.11-small 2.16.03
- nixpkgs-25.11-darwin 2.16.03

pkgs.nasmfmt

Formatter for NASM source files

nixos-unstable 2022-09-15
- nixpkgs-unstable 2022-09-15
- nixos-unstable-small 2022-09-15
nixos-25.11 2022-09-15
- nixos-25.11-small 2022-09-15
- nixpkgs-25.11-darwin 2022-09-15

pkgs.tree-sitter-grammars.tree-sitter-nasm

Tree-sitter grammar for nasm

nixos-unstable 0-unstable-2024-11-23
- nixpkgs-unstable 0-unstable-2024-11-23
- nixos-unstable-small 0-unstable-2024-11-23

pkgs.vimPlugins.nvim-treesitter-parsers.nasm