Release 3.17.3 (2026-04-07)
- Based on upstream Nix 2.33.3.
What's Changed
Fix for GHSA-g3g9-5vj6-r3gj: root privilege escalation via the Nix daemon
This release contains a critical fix for a security vulnerability on Linux that allows any user that has access to the Nix daemon to obtain root privileges. This vulnerability affects all versions of Determinate Nix prior to 3.17.3, and all versions of upstream Nix prior to 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6. All Linux users are advised to upgrade immediately.
For more details, see the upstream advisory GHSA-g3g9-5vj6-r3gj. Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.
Avoiding duplicate source tree downloads
When multiple Nix processes (like nix-eval-jobs instances) fetch the same source tree at the same time, it was previously possible for each process to perform the download independently, resulting in wasteful multiple downloads of the same source tree. Nix now uses a per-source tree lock to ensure that only one process performs the download.
PR: DeterminateSystems/nix-src#410
WAT support in builtins.wasm
builtins.wasm now supports WebAssembly Text Format (WAT) in addition to binary Wasm modules.
This is primarily useful for testing.
PR: DeterminateSystems/nix-src#405
Git shallow fetching
Nix now removes Git's shallow.lock lock file before running git fetch.
This prevents fetches from hanging if Git was previously interrupted.
PR: DeterminateSystems/nix-src#414
Debugging improvements
Certain C++ exceptions that should never happen (like std::logic_error) are now treated as aborts, providing stack traces and core dumps that are easier to debug.
PR: DeterminateSystems/nix-src#407
Bug fixes
-
nix developrespectslegacyPackagesagain. DeterminateSystems/nix-src#413 -
The
lookupPathResolveddata structure has been made thread-safe. DeterminateSystems/nix-src#415
Full Changelog: v3.17.2...v3.17.3