Nixpkgs security tracker

Untriaged

Permalink CVE-2026-6068

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 days, 3 hours ago

CVE-2026-6068

NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or unexpected behavior.

References

https://github.com/netwide-assembler/nasm/issues/222

Affected products

NASM

==nasm-3.02rc5

Matching in nixpkgs

pkgs.nasm

80x86 and x86-64 assembler designed for portability and modularity

nixos-unstable 3.01
- nixpkgs-unstable 3.01
- nixos-unstable-small 3.01
nixos-25.11 2.16.03
- nixos-25.11-small 2.16.03
- nixpkgs-25.11-darwin 2.16.03

pkgs.nasmfmt

Formatter for NASM source files

nixos-unstable 2022-09-15
- nixpkgs-unstable 2022-09-15
- nixos-unstable-small 2022-09-15
nixos-25.11 2022-09-15
- nixos-25.11-small 2022-09-15
- nixpkgs-25.11-darwin 2022-09-15

pkgs.tree-sitter-grammars.tree-sitter-nasm

Tree-sitter grammar for nasm

nixos-unstable 0-unstable-2024-11-23
- nixpkgs-unstable 0-unstable-2024-11-23
- nixos-unstable-small 0-unstable-2024-11-23

pkgs.vimPlugins.nvim-treesitter-parsers.nasm