Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2025-11919
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Unprotected temporary directories in Wolfram Cloud may result in privilege escalation

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

Affected products

Cloud
  • ==14.2
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy]

Affected products

Linux
  • <65e07964b4b2daf9a54e686cf0fa72d74a9648a8
  • <9472d37799a0b9ff9b99639f35961ac2f0b3c9be
  • <e0a0c4903cbba351f0f5b5d104960d3a5b23202f
  • <94094e70fe292c9566502772d4d4d6d6a99204b1
  • ==2.6.30
  • <2.6.30
  • =<6.6.*
  • <e5ff0ba4b6983cdbcc826efc201e7179ece5d46f
  • =<*
  • =<7.0.*
  • =<6.18.*
  • <be3e5d10643d3be1cbac9d9939f220a99253f980
  • =<5.15.*
  • =<5.10.*
  • =<6.12.*
  • <b88f905d4449b70da6bda547be546e365e44352e
  • =<6.1.*
  • <4525658002be3ad310b16bf8db48c8adb6a55d32
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind

In the Linux kernel, the following vulnerability has been resolved: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind(): kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ... pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero: err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; /* socket was already bound */ However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path. Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.

Affected products

Linux
  • <5b0c911bcdbd982f7748d11c0b39ec5808eae2de
  • =<*
  • <6db58ee730bf434d1afca91b91826e26688856ed
  • <2.6.28
  • =<7.0.*
  • ==2.6.28
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-57319
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
WordPress FOX plugin <= 1.4.8 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.

Affected products

woocommerce-currency-switcher
  • =<1.4.8
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
scsi: sg: Resolve soft lockup issue when opening /dev/sgX

In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Resolve soft lockup issue when opening /dev/sgX The parameter def_reserved_size defines the default buffer size reserved for each Sg_fd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sg_proc_write_dressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup: echo -1 > /sys/module/sg/parameters/def_reserved_size exec 4<> /dev/sg0 watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace: sg_build_reserve+0x5c/0xa0 sg_add_sfp+0x168/0x270 sg_open+0x16e/0x340 chrdev_open+0xbe/0x230 do_dentry_open+0x175/0x480 vfs_open+0x34/0xf0 do_open+0x265/0x3d0 path_openat+0x110/0x290 do_filp_open+0xc3/0x170 do_sys_openat2+0x71/0xe0 __x64_sys_openat+0x6d/0xa0 do_syscall_64+0x62/0x310 entry_SYSCALL_64_after_hwframe+0x76/0x7e The fix is to use module_param_cb to validate and reject invalid values assigned to def_reserved_size.

Affected products

Linux
  • =<6.6.*
  • =<*
  • <9676ca7b1ef31a3a65b3e61e7ce3b54ce7364202
  • <2.6.19
  • <d06a310b45e153872033dd0cf19d5a2279121099
  • <fe671d3c84ffb1b763d590c25195755adeaadaba
  • =<7.0.*
  • =<6.12.*
  • =<6.18.*
  • =<5.15.*
  • <c5f4a211e82d04ccc1809311322c47023bbe66e2
  • <1afd963fcd963db0dc5d47df6dfcf010c9c4647e
  • ==2.6.19
  • =<5.10.*
  • <feade299e932967de27519338d41de348fb5b061
  • <3d74e0654ac908c65a8f20373091826fe43b1363
  • =<6.1.*
  • <c47ccfb3d80dfed522ca06a5954ac97488d78c5a
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
padata: Put CPU offline callback in ONLINE section to allow failure

In the Linux kernel, the following vulnerability has been resolved: padata: Put CPU offline callback in ONLINE section to allow failure syzbot reported the following warning: DEAD callback error for CPU1 WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614 at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux") which tglx traced to padata_cpu_dead() given it's the only sub-CPUHP_TEARDOWN_CPU callback that returns an error. Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU so move the CPU offline callback to the ONLINE section where failure is possible.

Affected products

Linux
  • =<6.6.*
  • =<*
  • =<7.0.*
  • =<6.18.*
  • <a6d44f477000c6352de6b05e9e276e62083e5fbf
  • =<6.12.*
  • <5.5
  • <65dae8b34f0810f3fa9f77c4c63650cd20820693
  • <c8c4a2972f83c8b68ff03b43cecdb898939ff851
  • ==0685dfa0a2ff7635c0b64f7b7f0fafbf1c3e0c14
  • <5.6
  • =<6.1.*
  • <3e6c08dd97dcd22a00aee469e0adfa819071d80e
  • ==5.6
  • <9afe53f14a2aae8c4beb30e5ea51641a34f1a3d3
  • <4.20
  • ==3f4d3d010477365ee1aefedc3ad52563740b777e
  • ==2b1207801c393a5e9af2fbac2dd8b0377d8ae63a
  • <5a9f29a3e076b637d2234093e57989cf755ded5b
  • <5.6
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-54753
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Nx: `nx graph` dev server permissive CORS policy

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.

Affected products

nx
  • ==>= 23.0.0-beta.0, < 23.0.0-beta.2
  • ==>= 17.0.4, < 22.7.2
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
mailbox: mailbox-test: free channels on probe error

In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: free channels on probe error On probe error, free the previously obtained channels. This not only prevents a leak, but also UAF scenarios because the client structure will be removed nonetheless because it was allocated with devm.

Affected products

Linux
  • =<6.6.*
  • =<*
  • <15c4cc3850cfe1b973eb7b63c02314b267f06a64
  • <4.4
  • =<7.0.*
  • ==4.4
  • =<6.12.*
  • <6c6ce2ccb4fcf1617fec83f91b21aa0265f30701
  • =<6.18.*
  • <81c9e7e4030e71391ab479c4c6e17b64802577aa
  • <187069ccc3474516af32350e20d7e449160fa6de
  • <742001919653e7313b4e91780c5d108be1692365
  • =<5.10.*
  • =<5.15.*
  • <0ad8c4a03a358de7811ba1ab8cbd1fe76ad0ff6b
  • =<6.1.*
  • <c02053a9055d5fdfd32432287cca8958db1d5bc5
  • <02beb178e2e159daeb8f992d7abb16a37da31664
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-48615
5.9 MEDIUM
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
A flaw in Node.js proxy tunnel error handling could expose …

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Affected products

node
  • =<24.16.0
  • =<22.22.3
  • =<26.3.0
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu/amd: Bounds-check devid in __rlookup_amd_iommu()

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in __rlookup_amd_iommu() iommu_device_register() walks every device on the PCI bus via bus_for_each_dev() and calls amd_iommu_probe_device() for each. The inlined check_device() path computes the device's sbdf, calls rlookup_amd_iommu() to find the owning IOMMU, and only afterwards verifies devid <= pci_seg->last_bdf. __rlookup_amd_iommu() indexes rlookup_table[devid] with no bounds check of its own, so for a PCI device whose BDF is not described by the IVRS, the lookup reads past the end of the allocation before the caller's bounds check can run. This was harmless before commit e874c666b15b ("iommu/amd: Change rlookup, irq_lookup, and alias to use kvalloc()"): the table was a zeroed page-order allocation, so the over-read returned NULL and the caller's NULL check skipped the device. After that commit the table is a tight kvcalloc() and the over-read returns adjacent slab contents, which check_device() then dereferences as a struct amd_iommu *, causing a boot-time GPF. Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at 00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation, into the adjacent kmalloc-512 slab object: pci 0000:00:04.0: Adding to iommu group 0 pci 0000:00:05.0: Adding to iommu group 1 pci 0000:00:06.0: Adding to iommu group 2 pci 0000:00:07.0: Adding to iommu group 3 Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025 RIP: 0010:amd_iommu_probe_device+0x54/0x3a0 Call Trace: __iommu_probe_device+0x107/0x520 probe_iommu_group+0x29/0x50 bus_for_each_dev+0x7e/0xe0 iommu_device_register+0xc9/0x240 iommu_go_to_state+0x9c0/0x1c60 amd_iommu_init+0x14/0x40 pci_iommu_init+0x16/0x60 do_one_initcall+0x47/0x2f0 Guard the array access in __rlookup_amd_iommu(). With the fix applied on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.

Affected products

Linux
  • <07d0f496fe7ec5abe3bee7e38be709521567bb33
  • <f0a0f01787ecece814414b0665df879b69849d09
  • =<*
  • =<7.0.*
  • <79db4cbab81f07ce69a93d379ebd40d3709ecfb2
  • =<6.18.*
  • ==6.16
  • <6.16