Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged

Filter by:

With package: mold

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-3994

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

rui314 mold Object File input-files.cc initialize_sections heap-based overflow

A vulnerability was detected in rui314 mold up to 2.40.4. This issue affects the function mold::ObjectFilemold::X86_64::initialize_sections of the file src/input-files.cc of the component Object File Handler. Performing a manipulation results in heap-based buffer overflow. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-350476 | rui314 mold Object File input-files.cc initialize_sections heap-based overflow vdb-entrytechnical-description
VDB-350476 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #769772 | rui314 mold mold 2.40.4 and main-branch Heap-based Buffer Overflow third-party-advisory
https://github.com/rui314/mold/issues/1548 issue-tracking
https://github.com/oneafter/0209/blob/main/mo2/repro exploit
https://github.com/rui314/mold/ product

Affected products

mold

==2.40.3
==2.40.4
==2.40.1
==2.40.0
==2.40.2

Matching in nixpkgs

pkgs.mold

Faster drop-in replacement for existing Unix linkers (unwrapped)

nixos-unstable 2.40.4
- nixpkgs-unstable 2.40.4
- nixos-unstable-small 2.40.4
nixos-25.11 2.40.4
- nixos-25.11-small 2.40.4
- nixpkgs-25.11-darwin 2.40.4

pkgs.molden

Display and manipulate molecular structures

nixos-unstable 6.3
- nixpkgs-unstable 6.3
- nixos-unstable-small 6.3
nixos-25.11 6.3
- nixos-25.11-small 6.3
- nixpkgs-25.11-darwin 6.3

pkgs.mold-wrapped

Faster drop-in replacement for existing Unix linkers (unwrapped) (wrapper script)

nixos-unstable 2.40.4
- nixpkgs-unstable 2.40.4
- nixos-unstable-small 2.40.4
nixos-25.11 2.40.4
- nixos-25.11-small 2.40.4
- nixpkgs-25.11-darwin 2.40.4

pkgs.mold-unwrapped

Faster drop-in replacement for existing Unix linkers (unwrapped)

nixos-unstable 2.40.4
- nixpkgs-unstable 2.40.4
- nixos-unstable-small 2.40.4

pkgs.home-assistant-component-tests.mold_indicator

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.mold_indicator

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@azahi Azat Bahawi <azat@bahawi.net>
@paveloom Pavel Sobolev <contact@paveloom.dev>
@markuskowa Markus Kowalewski <markus.kowalewski@gmail.com>

1