A Reality Check on SBOM-Based Vulnerability Management: An Empirical Study and a Path Forward

The Software Bill of Materials SBOM is a critical tool for securing the software supply chain SSC, but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source...

Malicious code in perseus-procyon-hugo-ophiuchus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87cbc891ef57a039f013ea6cf1f8543491dfaf10476bd98ffc8f915a00739772 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-19381

Malicious code in bioql PyPI...

EUVD-2025-19410

Malicious code in bioql PyPI...

The vulnerability of the unlinkat() function in package managers Nix, Lix, and Guix allows attackers to increase their privileges.

The vulnerability of the unlinkat function in Nix, Lix, and Guix is related to synchronization errors when using a shared resource. Exploiting this vulnerability can allow attackers to increase their privileges...

The vulnerability of the Nix, Lix, and Guix package managers lies in synchronization errors when using a shared resource, allowing an attacker to gain read and write access to data.

The vulnerability of the Nix, Lix, and Guix package managers is related to synchronization errors when using a shared resource. Exploiting this vulnerability can allow an attacker to gain access to read and modify data...

CVE-2025-52991

The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data...

CVE-2025-46415

A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b...

CVE-2025-52993

A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user e.g., nixbld or guixbuild. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before...

CVE-2025-52992

The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and...

CVE-2025-52991

The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data...

CVE-2025-46416

The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account e.g., nixbld or guixbuild. This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before...

UBUNTU-CVE-2025-46416

The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account e.g., nixbld or guixbuild. This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before...

CVE-2025-52992

The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and...

CVE-2025-46416

The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account e.g., nixbld or guixbuild. This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before...

CVE-2025-46416

The CVE-2025-46416 issue affects Nix, Lix, and GNU Guix where a build-isolation bypass allows a user to escalate to the build user (e.g., nixbld/guixbuild). Affected versions: Nix up to 2.24.15, 2.26.4, 2.28.4, 2.29.1; Lix up to 2.91.2, 2.92.2, 2.93.1; Guix before 1.4.0-38.0e79d5b. The descriptio...

CVE-2025-52991

CVE-2025-52991 affects Nix before 2.24.15, 2.26.4, 2.28.4, 2.29.1; Lix before 2.91.2, 2.92.2, 2.93.1; and Guix before 1.4.0-38.0e79d5b. The root cause is that temporary build directories are created in world-readable and world-writable locations, allowing local users to deceive the package manage...

CVE-2025-46415

CVE-2025-46415 involves a race condition in the Nix, Lix, and Guix package managers that can lead to removal of content from arbitrary folders. The connected documents specify affected versions: Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; Guix before 1.4...

CVE-2025-46416

The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account e.g., nixbld or guixbuild. This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before...

kernel: exec: Fix ToCToU between perm check and set-uid/gid usage

A vulnerability was found in the Linux kernel. The fix addresses a race condition during file execution exec, where a file’s permissions could change between an initial check and execution, potentially allowing unauthorized privilege escalation. Specifically, a non-privileged user could gain root...