High severity8.1NVD Advisory· Published Nov 17, 2024· Updated Apr 15, 2026

CVE-2024-52867

Description

guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

Patches

558224140dab

https://cgit.git.savannah.gnu.org/cgit/guix.gitvia osv

5ab3c4c1e43e

https://cgit.git.savannah.gnu.org/cgit/guix.gitvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

git.savannah.gnu.org/cgit/guix.git/commit/nvd
git.savannah.gnu.org/cgit/guix.git/commit/nvd
guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/nvd
lists.debian.org/debian-lts-announce/2024/11/msg00016.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000