Nixpkgs security tracker

NIXPKGS-2026-1714

GitHub issue published on

Permalink CVE-2026-48852

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

PuTTY 0.71 before 0.84 has an assertion failure in ECDSA …

PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification.

References

Affected products

PuTTY

<0.84

Matching in nixpkgs

pkgs.putty

Free Telnet/SSH Client

nixos-unstable 0.83
- nixpkgs-unstable 0.83
- nixos-unstable-small 0.83
nixos-25.11 0.83
- nixos-25.11-small 0.83
- nixpkgs-25.11-darwin 0.83

NIXPKGS-2026-1713

GitHub issue published on

Permalink CVE-2026-9501

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse ignored
3 references
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.

References

VDB-365483 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1242 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_asse… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch

Ignored references (3)

https://www.gnu.org/ product
VDB-365483 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814250 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Reachable Assertion (CWE-617) third-party-advisory

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

NIXPKGS-2026-1712

GitHub issue published on

Permalink CVE-2026-9500

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse ignored
3 references
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow

A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-365482 | GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1241 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit

Ignored references (3)

https://www.gnu.org/ product
Submit #814248 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
VDB-365482 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

NIXPKGS-2026-1711

GitHub issue published on

Permalink CVE-2026-48850

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

PuTTY 0.72 before 0.84 has a double free in RSA …

PuTTY 0.72 before 0.84 has a double free in RSA KEX.

References

Affected products

PuTTY

<0.84

Matching in nixpkgs

pkgs.putty

Free Telnet/SSH Client

nixos-unstable 0.83
- nixpkgs-unstable 0.83
- nixos-unstable-small 0.83
nixos-25.11 0.83
- nixos-25.11-small 0.83
- nixpkgs-25.11-darwin 0.83

NIXPKGS-2026-1710

GitHub issue published on

Permalink CVE-2026-9504

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse ignored
3 references
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds

A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue.

References

VDB-365486 | GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1246 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/be996bf2178a40e98720f18c2414815d244… patch

Ignored references (3)

Submit #814261 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) Out-of-bounds Read (CWE-125) third-party-advisory
VDB-365486 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.2
==0.10
==0.5
==0.6
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

NIXPKGS-2026-1709

GitHub issue published on

Permalink CVE-2026-9503

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse ignored
3 references
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.

References

VDB-365485 | GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1245 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be5… patch

Ignored references (3)

Submit #814260 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476) third-party-advisory
https://www.gnu.org/ product
VDB-365485 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

NIXPKGS-2026-1708

GitHub issue published on

Permalink CVE-2026-9502

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse ignored
3 references
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow

A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch.

References

VDB-365484 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1243 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch

Ignored references (3)

https://www.gnu.org/ product
Submit #814259 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
VDB-365484 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

NIXPKGS-2026-1707

GitHub issue published on

Permalink CVE-2026-48851

3.1 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 10 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

PuTTY 0.77 before 0.84 uses a copy of the PuTTY …

PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session.

References

Affected products

PuTTY

<0.84

Matching in nixpkgs

pkgs.putty

Free Telnet/SSH Client

nixos-unstable 0.83
- nixpkgs-unstable 0.83
- nixos-unstable-small 0.83
nixos-25.11 0.83
- nixos-25.11-small 0.83
- nixpkgs-25.11-darwin 0.83

NIXPKGS-2026-1706

GitHub issue published on

Permalink CVE-2026-9150

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 5 days, 4 hours ago by @LeSuisse Activity log

Created suggestion 5 days, 10 hours ago
@LeSuisse accepted 5 days, 5 hours ago
@LeSuisse published on GitHub 5 days, 4 hours ago

Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.

References

https://access.redhat.com/security/cve/CVE-2026-9150 vdb-entryx_refsource_REDHAT
RHBZ#2460379 issue-trackingx_refsource_REDHAT
https://github.com/openSUSE/libsolv/pull/616

Affected products

rhcos

libsolv

satellite-capsule:el8/libsolv

Matching in nixpkgs

pkgs.libsolv

Free package dependency solver

nixos-unstable 0.7.36
- nixpkgs-unstable 0.7.36
- nixos-unstable-small 0.7.36
nixos-25.11 0.7.35
- nixos-25.11-small 0.7.35
- nixpkgs-25.11-darwin 0.7.35

Fixed in 0.7.37.

https://github.com/openSUSE/libsolv/commit/0de68ee047a69a5aae5186f8939bd1d31113aa2a

NIXPKGS-2026-1705

GitHub issue published on

Permalink CVE-2026-24188

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

updated 5 days, 4 hours ago by @LeSuisse Activity log

Created suggestion 5 days, 10 hours ago
@LeSuisse ignored
4 packages
- cudaPackages.tensorrt-samples
- python314Packages.tensorrt
- python313Packages.tensorrt
- python312Packages.tensorrt
5 days, 5 hours ago
@LeSuisse accepted 5 days, 5 hours ago
@LeSuisse published on GitHub 5 days, 4 hours ago

NVIDIA TensorRT contains a vulnerability where an attacker could cause …

NVIDIA TensorRT contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to data tampering.

References

Affected products

TensorRT

<v10.16.1

Matching in nixpkgs

pkgs.cudaPackages.tensorrt

SDK that facilitates high-performance machine learning inference

nixos-unstable 10.14.1.48
- nixpkgs-unstable 10.14.1.48
- nixos-unstable-small 10.14.1.48
nixos-25.11 10.14.1.48
- nixos-25.11-small 10.14.1.48
- nixpkgs-25.11-darwin 10.14.1.48

Ignored packages (4)

pkgs.python312Packages.tensorrt

Python bindings for TensorRT, a high-performance deep learning interface

nixos-25.11 cuda12.8-tensorrt-10.14.1.48
- nixos-25.11-small cuda12.8-tensorrt-10.14.1.48
- nixpkgs-25.11-darwin cuda12.8-tensorrt-10.14.1.48

pkgs.python313Packages.tensorrt

Python bindings for TensorRT, a high-performance deep learning interface

nixos-unstable cuda12.9-tensorrt-10.14.1.48
- nixpkgs-unstable cuda12.9-tensorrt-10.14.1.48
- nixos-unstable-small cuda12.9-tensorrt-10.14.1.48
nixos-25.11 cuda12.8-tensorrt-10.14.1.48
- nixos-25.11-small cuda12.8-tensorrt-10.14.1.48
- nixpkgs-25.11-darwin cuda12.8-tensorrt-10.14.1.48

pkgs.python314Packages.tensorrt

Python bindings for TensorRT, a high-performance deep learning interface

nixos-unstable cuda12.9-tensorrt-10.14.1.48
- nixpkgs-unstable cuda12.9-tensorrt-10.14.1.48
- nixos-unstable-small cuda12.9-tensorrt-10.14.1.48

pkgs.cudaPackages.tensorrt-samples

Open Source Software (OSS) components of NVIDIA TensorRT

nixos-unstable 10.14.1
- nixpkgs-unstable 10.14.1
- nixos-unstable-small 10.14.1
nixos-25.11 10.14.1
- nixos-25.11-small 10.14.1
- nixpkgs-25.11-darwin 10.14.1

Package maintainers

@samuela Samuel Ainsworth <skainsworth@gmail.com>
@SomeoneSerge Else Someone <else+nixpkgs@someonex.net>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
@ConnorBaker Connor Baker <ConnorBaker01@gmail.com>
@prusnak Pavol Rusnak <pavol@rusnak.io>
@YorikSar Yuriy Taraday <yorik.sar@gmail.com>

Published issues

References

Affected products

Matching in nixpkgs

pkgs.putty

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.putty

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.putty

References

Affected products

Matching in nixpkgs

pkgs.libsolv

References

Affected products

Matching in nixpkgs

pkgs.cudaPackages.tensorrt

pkgs.python312Packages.tensorrt

pkgs.python313Packages.tensorrt

pkgs.python314Packages.tensorrt

pkgs.cudaPackages.tensorrt-samples

Package maintainers