Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0673
published 3 months, 1 week ago
Permalink CVE-2026-4174
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Radare2 Mach-O File mach0.c walk_exports_trie resource consumption

Radare2
  • ==5.9.9
  • ==6.1.2 
Upstream issue: https://github.com/radareorg/radare2/issues/25482
Upstream patch: https://github.com/radareorg/radare2/commit/4371ae84c99c46b48cb21badbbef06b30757aba0

Upstream disputes the security issue: https://github.com/radareorg/radare2/issues/25482#issuecomment-3989318217
NIXPKGS-2026-0670
published 3 months, 1 week ago
Permalink CVE-2026-2920
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0667
published 3 months, 1 week ago
Permalink CVE-2026-3085
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0663
published 3 months, 1 week ago
Permalink CVE-2026-3083
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0661
published 3 months, 1 week ago
Permalink CVE-2026-3081
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0666
published 3 months, 1 week ago
Permalink CVE-2026-2923
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0669
published 3 months, 1 week ago
Permalink CVE-2026-3086
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0674
published 3 months, 1 week ago
Permalink CVE-2026-4111
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    28 packages
    • libarchive-qt
    • haskellPackages.libarchive
    • kodiPackages.vfs-libarchive
    • perlPackages.ArchiveLibarchive
    • python312Packages.libarchive-c
    • python313Packages.libarchive-c
    • python314Packages.libarchive-c
    • haskellPackages.libarchive-clib
    • perl5Packages.ArchiveLibarchive
    • perl538Packages.ArchiveLibarchive
    • perl540Packages.ArchiveLibarchive
    • haskellPackages.archive-libarchive
    • haskellPackages.libarchive-conduit
    • perlPackages.ArchiveLibarchivePeek
    • perlPackages.TestArchiveLibarchive
    • perl5Packages.ArchiveLibarchivePeek
    • perl5Packages.TestArchiveLibarchive
    • perl538Packages.ArchiveLibarchivePeek
    • perl538Packages.TestArchiveLibarchive
    • perl540Packages.ArchiveLibarchivePeek
    • perl540Packages.TestArchiveLibarchive
    • perlPackages.ArchiveLibarchiveExtract
    • perl5Packages.ArchiveLibarchiveExtract
    • perl538Packages.ArchiveLibarchiveExtract
    • perl540Packages.ArchiveLibarchiveExtract
    • python312Packages.extractcode-libarchive
    • python313Packages.extractcode-libarchive
    • python314Packages.extractcode-libarchive
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchive

rhcos
libarchive
Upstream patch: https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168
NIXPKGS-2026-0637
published 3 months, 1 week ago
Permalink CVE-2026-31884
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

FreeRDP has a division-by-zero in ADPCM decoders when `nBlockAlign` is 0

FreeRDP
  • ==< 3.24.0 
Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jp7m-94ww-p56r
Upstream patches:
* https://github.com/FreeRDP/FreeRDP/commit/03b48b3601d867afccac1cdc6081de7a275edce7
* https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8
NIXPKGS-2026-0657
published 3 months, 1 week ago
Permalink CVE-2026-32704
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

SiYuan renderSprig: missing admin check allows any user to read full workspace DB

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x