Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-5473

4.5 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 1 week, 2 days ago

NASA cFS Pickle pickle.load deserialization

A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-355077 | NASA cFS Pickle pickle.load deserialization vdb-entrytechnical-description
VDB-355077 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #781949 | NASA cFS 7.0.0 Code Execution third-party-advisory
https://github.com/nasa/cFS/issues/951 issue-tracking
https://github.com/nasa/cFS/ product

Affected products

cFS

==7.0

Matching in nixpkgs

pkgs.cfssl

Cloudflare's PKI and TLS toolkit

nixos-unstable 1.6.5
- nixpkgs-unstable 1.6.5
- nixos-unstable-small 1.6.5
nixos-25.11 1.6.5
- nixos-25.11-small 1.6.5
- nixpkgs-25.11-darwin 1.6.5

pkgs.cpcfs

Manipulating CPC dsk images and files

nixos-unstable 0.85.4
- nixpkgs-unstable 0.85.4
- nixos-unstable-small 0.85.4
nixos-25.11 0.85.4
- nixos-25.11-small 0.85.4
- nixpkgs-25.11-darwin 0.85.4

pkgs.encfs

Encrypted filesystem in user-space via FUSE

nixos-unstable 1.9.5
- nixpkgs-unstable 1.9.5
- nixos-unstable-small 1.9.5
nixos-25.11 1.9.5
- nixos-25.11-small 1.9.5
- nixpkgs-25.11-darwin 1.9.5

pkgs.lxcfs

FUSE filesystem for LXC

nixos-unstable 6.0.6
- nixpkgs-unstable 6.0.6
- nixos-unstable-small 6.0.6
nixos-25.11 6.0.5
- nixos-25.11-small 6.0.5
- nixpkgs-25.11-darwin 6.0.5

pkgs.gencfsm

EncFS manager and mounter with GNOME3 integration

nixos-unstable 1.9
- nixpkgs-unstable 1.9
- nixos-unstable-small 1.9
nixos-25.11 1.9
- nixos-25.11-small 1.9
- nixpkgs-25.11-darwin 1.9

pkgs.cfspeedtest

Unofficial CLI for speed.cloudflare.com

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1
nixos-25.11 1.4.1
- nixos-25.11-small 1.4.1
- nixpkgs-25.11-darwin 1.4.1

pkgs.cfs-zen-tweaks

Tweak Linux CPU scheduler for desktop responsiveness

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.ocamlPackages.cfstream

Simple Core-inspired wrapper for standard library Stream module

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python312Packages.cfscrape

Python module to bypass Cloudflare's anti-bot page

nixos-25.11 2.1.1
- nixos-25.11-small 2.1.1
- nixpkgs-25.11-darwin 2.1.1

pkgs.python313Packages.cfscrape

Python module to bypass Cloudflare's anti-bot page

nixos-unstable 2.1.1
- nixpkgs-unstable 2.1.1
- nixos-unstable-small 2.1.1
nixos-25.11 2.1.1
- nixos-25.11-small 2.1.1
- nixpkgs-25.11-darwin 2.1.1

pkgs.python314Packages.cfscrape

Python module to bypass Cloudflare's anti-bot page

nixos-unstable 2.1.1
- nixpkgs-unstable 2.1.1
- nixos-unstable-small 2.1.1

pkgs.ocamlPackages_latest.cfstream

Simple Core-inspired wrapper for standard library Stream module

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2

pkgs.python312Packages.macfsevents

Thread-based interface to file system observation primitives

nixos-25.11 0.8.4
- nixos-25.11-small 0.8.4
- nixpkgs-25.11-darwin 0.8.4

pkgs.python313Packages.macfsevents

Thread-based interface to file system observation primitives

nixos-unstable 0.8.4
- nixpkgs-unstable 0.8.4
- nixos-unstable-small 0.8.4
nixos-25.11 0.8.4
- nixos-25.11-small 0.8.4
- nixpkgs-25.11-darwin 0.8.4

pkgs.python314Packages.macfsevents

Thread-based interface to file system observation primitives

nixos-unstable 0.8.4
- nixpkgs-unstable 0.8.4
- nixos-unstable-small 0.8.4

pkgs.azure-cli-extensions.managedccfs

Microsoft Azure Command-Line Tools Managedccfs Extension

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.2.0
- nixos-25.11-small 0.2.0
- nixpkgs-25.11-darwin 0.2.0

pkgs.python312Packages.python-linux-procfs

Python classes to extract information from the Linux kernel /proc files

nixos-25.11 0.7.3
- nixos-25.11-small 0.7.3
- nixpkgs-25.11-darwin 0.7.3

pkgs.python313Packages.python-linux-procfs

Python classes to extract information from the Linux kernel /proc files

nixos-unstable 0.7.3
- nixpkgs-unstable 0.7.3
- nixos-unstable-small 0.7.3
nixos-25.11 0.7.3
- nixos-25.11-small 0.7.3
- nixpkgs-25.11-darwin 0.7.3

pkgs.python314Packages.python-linux-procfs

Python classes to extract information from the Linux kernel /proc files

nixos-unstable 0.7.3
- nixpkgs-unstable 0.7.3
- nixos-unstable-small 0.7.3

pkgs.tests.testers.runCommand.nonDefault-hash

None

nixos-25.11 hvd21cfs9hxr
- nixos-25.11-small hvd21cfs9hxr
- nixpkgs-25.11-darwin hvd21cfs9hxr

Package maintainers

@ulrikstrid Ulrik Strid <ulrik.strid@outlook.com>
@katexochen Paul Meyer <katexochen0@gmail.com>
@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>
@stepbrobd Yifei Sun <ysun@hey.com>
@colemickens Cole Mickens <cole.mickens@gmail.com>
@mbrgm Marius Bergmann <marius@yeai.de>
@spacefrogg Michael Raitza <spacefrogg-nixos@meterriblecrew.net>
@megheaiulian Meghea Iulian <iulian.meghea@gmail.com>
@aanderse Aaron Andersen <aaron@fosslib.net>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@jnsgruk Jon Seager <jon@sgrs.uk>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>