CVE-2024-36050

Publication date 18 May 2024

Last updated 25 June 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

4.3 · Medium

Score breakdown

Description

Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.

Read the notes from the security team

Status

Package Ubuntu Release Status
nix 25.10 questing
Vulnerable, fix deferred
25.04 plucky
Vulnerable, fix deferred
24.10 oracular Ignored end of life, was deferred [2025-06-25]
24.04 LTS noble
Vulnerable, fix deferred
23.10 mantic Ignored end of life, was needs-triage
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal Not in release

Notes

bruce-cable

As of 2025-06-25 not patch available

Severity score breakdown

Parameter Value
Base score 4.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

Other references