CVE-2025-46416: 
Linux Debian vulnerability analysis and mitigation

The vulnerability CVE-2025-46416 affects the Nix, Lix, and Guix package managers, allowing a bypass of build isolation where users can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This vulnerability was discovered in June 2025 and affects Nix through versions 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through versions 2.91.2, 2.92.2, and 2.93.1; and Guix before version 1.4.0-38.0e79d5b (NVD, Wiz).

The vulnerability exploits Linux's abstract UNIX domain sockets, which enable processes in the same network namespace to communicate via Unix-domain sockets, regardless of other namespace states. The attack involves file descriptor smuggling between build processes, allowing privilege escalation to build user accounts. The vulnerability has a CVSS 3.1 Base Score of 2.9 (LOW) with vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N and is classified under CWE-282 (Improper Ownership Management) (Wiz, Guix Blog).

When exploited, this vulnerability allows any user with the ability to start a derivation build to gain the privileges of build users (nixbld or guixbuild). This is particularly concerning for multi-user systems and any system where untrusted code may access the daemon's socket. The vulnerability requires the ability to run arbitrary code in the root PID and network namespaces on the machine where the build occurs (Guix Blog).

The vulnerability has been patched in multiple versions: Nix 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix 2.91.2, 2.92.2, and 2.93.1 (with Pasta or LSM mitigations enabled); and Guix 1.4.0-38.0e79d5b. For Lix specifically, the Pasta mitigation can be disabled by setting an empty pasta-path in /etc/nix/nix.conf. Users are strongly advised to upgrade their package managers immediately to the fixed versions (Lix Blog, NixOS Discourse).

The community response has focused on the importance of proper build isolation and the need for better security practices in package management systems. The vulnerability was discovered and reported through coordinated disclosure, demonstrating effective collaboration between security researchers and affected projects (Guix Blog, Lix Blog).