Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0952

NIXPKGS-2026-0952
published on
Permalink CVE-2026-3184
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 day, 16 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 3 days, 8 hours ago
  • @LeSuisse removed package more 1 day, 16 hours ago
  • @LeSuisse removed package wall 1 day, 16 hours ago
  • @LeSuisse removed package mount 1 day, 16 hours ago
  • @LeSuisse removed package eject 1 day, 16 hours ago
  • @LeSuisse removed package umount 1 day, 16 hours ago
  • @LeSuisse removed package logger 1 day, 16 hours ago
  • @LeSuisse removed package hexdump 1 day, 16 hours ago
  • @LeSuisse removed package libuuid 1 day, 16 hours ago
  • @LeSuisse removed package libsmartcols 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.col 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.fsck 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.more 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.wall 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.eject 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.fdisk 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.mount 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.write 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.column 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.getopt 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.logger 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.script 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.umount 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.hexdump 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.whereis 1 day, 16 hours ago
  • @LeSuisse removed package util-linuxMinimal 1 day, 16 hours ago
  • @LeSuisse removed package uutils-util-linux 1 day, 16 hours ago
  • @LeSuisse removed package unixtools.util-linux 1 day, 16 hours ago
  • @LeSuisse ignored reference https://a… 1 day, 16 hours ago
  • @LeSuisse accepted 1 day, 16 hours ago
  • @LeSuisse published on GitHub 1 day, 16 hours ago
Util-linux: util-linux: access control bypass due to improper hostname canonicalization

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

References

Ignored references (1)

Affected products

rhcos
util-linux

Matching in nixpkgs

Ignored packages (27)

Package maintainers

Patch: https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984