Nixpkgs security tracker

Published

Permalink CVE-2026-10717

1.8 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Attack Requirement (AT): Present (P)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): Low (L)
Safety (S): Negligible (N)
Automatable (AU): Yes (Y)
Recovery (R): Automatic (A)
Value Density (V): Diffuse (D)
Vulnerability Response Effort (RE): Low (L)
Provider Urgency (U): Clear (Clear)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Low (L)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Open-Seachest/Seachest show SCSI Defect List Vulnerability

Out of bounds write and reads in openSeaChest’s --showSCSIDefects in Seagate’s openSeaChest v25.05.3 on all supported platforms allows for writing defect information out of bounds for very large defects lists via a very bad drive with lots of defects or a maliciously crafted SCSI device’s defect response length.

References

Affected products

openSeaChest

==26.03.0
=<25.05.3

Matching in nixpkgs

pkgs.openseachest

Collection of command line diagnostic tools for storage devices

nixos-unstable 25.05.3
- nixpkgs-unstable 25.05.3
- nixos-unstable-small 25.05.3
nixos-25.11 25.05.3
- nixos-25.11-small 25.05.3
- nixpkgs-25.11-darwin 25.05.3

Published

Permalink CVE-2026-10718

4.6 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Safety (S): Negligible (N)
Automatable (AU): Yes (Y)
Recovery (R): User (U)
Value Density (V): Diffuse (D)
Vulnerability Response Effort (RE): Low (L)
Provider Urgency (U): Green (Green)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Open Seachest/Seachest NVMe Trim (Deallocate) Vulnerability

Out of bounds write in openSeaChest’s Trim/Unmap operation in Seagate’s openSeaChest v26.03.0 on all supported platforms allows for writing extra memory describing a range of LBAs to deallocate 16 bytes outside of the allocated space when running this operation.

References

Affected products

openSeaChest

=<26.03.0

Matching in nixpkgs

pkgs.openseachest

Collection of command line diagnostic tools for storage devices

nixos-unstable 25.05.3
- nixpkgs-unstable 25.05.3
- nixos-unstable-small 25.05.3
nixos-25.11 25.05.3
- nixos-25.11-small 25.05.3
- nixpkgs-25.11-darwin 25.05.3

Published

Permalink CVE-2026-10719

1.8 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Attack Requirement (AT): Present (P)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): Low (L)
Safety (S): Negligible (N)
Automatable (AU): Yes (Y)
Recovery (R): Automatic (A)
Value Density (V): Diffuse (D)
Vulnerability Response Effort (RE): Low (L)
Provider Urgency (U): Clear (Clear)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Low (L)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Open Seachest/Seachest NVMe show Format Descriptors Vulnerability

Out of bounds write in openSeaChest’s --showSupportedFormats in Seagate’s openSeaChest v25.05.3 on all supported platforms allows for writing 1 extra byte outside of allocated memory which sets a value to 1 via a maliciously crafted NVMe device with a bogus value in the namespace FLBAS byte.

References

Affected products

openSeaChest

=<25.05.3

Matching in nixpkgs

pkgs.openseachest

Collection of command line diagnostic tools for storage devices

nixos-unstable 25.05.3
- nixpkgs-unstable 25.05.3
- nixos-unstable-small 25.05.3
nixos-25.11 25.05.3
- nixos-25.11-small 25.05.3
- nixpkgs-25.11-darwin 25.05.3

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.openseachest

References

Affected products

Matching in nixpkgs

pkgs.openseachest

References

Affected products

Matching in nixpkgs

pkgs.openseachest