NIXPKGS-2026-0891

GitHub issue published on

Permalink CVE-2026-25704

updated 1 month ago by @mweinelt Activity log

Created suggestion 1 month ago
@mweinelt accepted 1 month ago
@mweinelt published on GitHub 1 month ago

Incomplete privilege drop for com.system76.CosmicGreeter.GetUserData

A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic. This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25704

Affected products

cosmic-greeter

<https://github.com/pop-os/cosmic-greeter/pull/426

Matching in nixpkgs

pkgs.cosmic-greeter

Greeter for the COSMIC Desktop Environment

nixos-unstable 1.0.8
- nixpkgs-unstable 1.0.8
- nixos-unstable-small 1.0.8
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

Package maintainers

@ahoneybun Aaron Honeycutt <aaronhoneycutt@proton.me>
@a-kenji Alexander Kenji Berthold <aks.kenji@protonmail.com>
@thefossguy Pratham Patel <prathampatel@thefossguy.com>
@HeitorAugustoLN Heitor Augusto <nixpkgs.woven713@passmail.net>
@michaelBelsanti Mike Belsanti <mbels03@protonmail.com>
@alyssais Alyssa Ross <hi@alyssa.is>
@drakon64 Evelyn Chance <nixpkgs@drakon.cloud>
@nyabinary Niko Cantero <nyanbinary@keemail.me>
@Pandapip1 Gavin John <gavinnjohn@gmail.com>

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25704

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0891

References

Affected products

Matching in nixpkgs

pkgs.cosmic-greeter

Package maintainers