Bundled glibc-2.40 has 3 unpatched CVEs (nixpkgs pinned to Oct 2025)

[fullykubed]

Summary

The determinate flake (v3.15–3.16.x) pins its nixpkgs input to revision daf6dc47aa (2025-10-27), which ships glibc 2.40 without security patches from January 2026. This results in 3 unpatched CVEs in the glibc bundled with all determinate-nix pre-built binaries and their transitive dependencies (curl, openssl, sqlite, libarchive, etc.).

Affected CVEs

CVE	CVSS	Description	Fixed In
CVE-2026-0861	8.4 High	memalign integer overflow → heap corruption	glibc 2.40-216+ / 2.42-50+
CVE-2026-0915	7.5 High	getnetbyaddr DNS stack content leak	glibc 2.40-216+ / 2.42-50+
CVE-2025-15281	7.5 High	wordexp WRDE_REUSE + WRDE_APPEND → uninitialized memory / DoS	glibc 2.40-218+ / 2.42-51+

Upstream References

• GLIBC-SA-2026-0001 (CVE-2026-0861)
• GLIBC-SA-2026-0002 (CVE-2026-0915)
• GLIBC-SA-2026-0003 (CVE-2025-15281)
• nixpkgs PR #480822 — glibc 2.42-47 → 2.42-50
• nixpkgs PR #482621 — glibc 2.42-50 → 2.42-51
• nixpkgs PR #482623 — glibc 2.40-217 → 2.40-218

Impact

On NixOS systems using determinate.nixosModules.default, the runtime closure includes 54 store paths linked against the vulnerable glibc-2.40-66. While practical exploitability is low for nix tooling, the CVEs show up in vulnerability scans (vulnix) and create noise for security-conscious deployments.

Suggested Fix

Bump the nixpkgs input in the nix flake to any revision after 2026-01-22, which includes glibc 2.40-218 with all three CVE fixes.

[zacharyweiss]

I've been noting / struggling with the same, cf. #350

It appears #386 will introduce 25.11 nixpkgs & fix the above, but there's CI failures to resolve first.