CVE-2025-32438HIGH 8.8EPSS p4.8%

CVE-2025-32438CVE-2025-32438

Description

make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is able to create a program that will be executed by root during shutdown. Patches exist for NixOS 24.11 and 25.05 / unstable. As a workaround, set systemd.shutdownRamfs.enable = false;.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.15% probability of exploitation · percentile 4.8% · 2026-06-18T12:00:27Z
Published2025-04-15
Last modified2026-04-15

Underlying weaknesses· 2

CWE-378CWE-379

References

  1. https://github.com/NixOS/nixpkgs/commit/b17590193d8e5697000c23c66afcf11e1753734d
  2. https://github.com/NixOS/nixpkgs/commit/fbf76bf72b161b9f4ab97704a8258776d5f3ffba
  3. https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4

2

TypeTargetConfidenceTier
WeaknessCreation of Temporary File With Insecure Permissionscwe-3780%live
WeaknessCreation of Temporary File in Directory with Insecure Permissionscwe-3790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39860
CVE
CVE-2026-6893
CVE
CVE-2026-3888
CVE
CVE-2025-33223
CVE
CVE-2025-33224
CVE
Linux Kernel Improper Ownership Management Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.