Bundled glibc-2.40 has 3 unpatched CVEs (nixpkgs pinned to Oct 2025) #376
Description
Summary
The determinate flake (v3.15–3.16.x) pins its nixpkgs input to revision daf6dc47aa (2025-10-27), which ships glibc 2.40 without security patches from January 2026. This results in 3 unpatched CVEs in the glibc bundled with all determinate-nix pre-built binaries and their transitive dependencies (curl, openssl, sqlite, libarchive, etc.).
Affected CVEs
| CVE | CVSS | Description | Fixed In |
|---|---|---|---|
| CVE-2026-0861 | 8.4 High | memalign integer overflow → heap corruption |
glibc 2.40-216+ / 2.42-50+ |
| CVE-2026-0915 | 7.5 High | getnetbyaddr DNS stack content leak |
glibc 2.40-216+ / 2.42-50+ |
| CVE-2025-15281 | 7.5 High | wordexp WRDE_REUSE + WRDE_APPEND → uninitialized memory / DoS |
glibc 2.40-218+ / 2.42-51+ |
Upstream References
- GLIBC-SA-2026-0001 (CVE-2026-0861)
- GLIBC-SA-2026-0002 (CVE-2026-0915)
- GLIBC-SA-2026-0003 (CVE-2025-15281)
- nixpkgs PR #480822 — glibc 2.42-47 → 2.42-50
- nixpkgs PR #482621 — glibc 2.42-50 → 2.42-51
- nixpkgs PR #482623 — glibc 2.40-217 → 2.40-218
Impact
On NixOS systems using determinate.nixosModules.default, the runtime closure includes 54 store paths linked against the vulnerable glibc-2.40-66. While practical exploitability is low for nix tooling, the CVEs show up in vulnerability scans (vulnix) and create noise for security-conscious deployments.
Suggested Fix
Bump the nixpkgs input in the nix flake to any revision after 2026-01-22, which includes glibc 2.40-218 with all three CVE fixes.