CVE Daily
← All tags

Tag: NixOS

All CVEs associated with "NixOS". Page 1/1 • 14 CVEs.

About “NixOS”

A curated feed of “NixOS”-related CVEs appears below. We currently track 14 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 7.1 (all time; 7.6 over 365d), and 57% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-306 - Missing Authentication for Critical Function, CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory, CWE-798 - Use of Hard-coded Credentials.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: nixos

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
26.05-
25.11- Soon
25.05- Expired
24.11- Expired
24.05- Expired
23.11- Expired
23.05- Expired
22.11- Expired
22.05- Expired
21.11- Expired
21.05- Expired
20.09- Expired
20.03- Expired
19.09- Expired
19.03- Expired
18.09- Expired
18.03- Expired
17.09- Expired
17.03- Expired
16.09- Expired
16.03- Expired
15.09- Expired
14.12- Expired
14.04- Expired
13.10- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “NixOS”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-14
Critical

CVE-2026-44592

Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker with…

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2026-02-18
Medium

CVE-2025-71229

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a…

CVSS: 5.5 CWE: N/A View on NVD
2026-02-02
Critical

CVE-2026-25137

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2026-01-19
High

CVE-2026-23838

Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes,…

CVSS: 8.7 CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory View on NVD
2025-11-17
Medium

CVE-2025-64766

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25…

CVSS: 5.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2025-04-15
High

CVE-2025-32438

make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is abl…

CVSS: 8.8 CWE: CWE-378 - Creation of Temporary File With Insecure Permissions View on NVD
2025-02-26
Medium

CVE-2022-49335

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/cs: make commands with 0 chunks illegal behaviour. Submitting a cs with 0 chunks, causes an oops later, found trying t…

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2024-08-27
High

CVE-2024-45049

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-08-16
High

CVE-2024-43378

calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users who installed NixOS through the graphical installer who used manual disk partitioning…

CVSS: 7.8 CWE: CWE-256 - Plaintext Storage of a Password View on NVD
2024-04-22
Medium

CVE-2024-32657

Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allo…

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-04-17
Medium

CVE-2023-52644

In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not ma…

CVSS: 6.3 CWE: N/A View on NVD
2023-06-29
High

CVE-2023-36476

calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the…

CVSS: 7.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-07-20
Medium

CVE-2017-11501

NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-04-04
High

CVE-2017-7412

NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which allows local users to gain privileges by executing docker commands.

CVSS: 7.8 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox