Nixpkgs security tracker

Untriaged

Permalink CVE-2026-6067

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 4 days, 3 hours ago

CVE-2026-6067

A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.

References

https://github.com/netwide-assembler/nasm/issues/203

Affected products

NASM

==nasm-3.02rc5

Matching in nixpkgs

pkgs.nasm

80x86 and x86-64 assembler designed for portability and modularity

nixos-unstable 3.01
- nixpkgs-unstable 3.01
- nixos-unstable-small 3.01
nixos-25.11 2.16.03
- nixos-25.11-small 2.16.03
- nixpkgs-25.11-darwin 2.16.03

pkgs.nasmfmt

Formatter for NASM source files

nixos-unstable 2022-09-15
- nixpkgs-unstable 2022-09-15
- nixos-unstable-small 2022-09-15
nixos-25.11 2022-09-15
- nixos-25.11-small 2022-09-15
- nixpkgs-25.11-darwin 2022-09-15

pkgs.tree-sitter-grammars.tree-sitter-nasm

Tree-sitter grammar for nasm

nixos-unstable 0-unstable-2024-11-23
- nixpkgs-unstable 0-unstable-2024-11-23
- nixos-unstable-small 0-unstable-2024-11-23

pkgs.vimPlugins.nvim-treesitter-parsers.nasm