CVE-2025-32438
📋 TL;DR
CVE-2025-32438 is a local privilege escalation vulnerability in make-initrd-ng on NixOS systems. When systemd.shutdownRamfs.enable is enabled (the default), a local user can create a program that executes with root privileges during system shutdown. All NixOS users with the default configuration are affected.
💻 Affected Systems
- make-initrd-ng
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, potentially compromising all data, installing persistent backdoors, or disrupting critical services.
Likely Case
Local user escalates to root privileges, gaining complete control over the system and ability to modify system files.
If Mitigated
With proper controls, the attack surface is reduced but local users could still attempt other privilege escalation methods.
🎯 Exploit Status
Requires local user access and knowledge of the vulnerability to create malicious shutdown scripts
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NixOS 24.11 and 25.05/unstable with patches applied
Vendor Advisory: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4
Restart Required: Yes
Instructions:
1. Update NixOS to version 24.11 or 25.05/unstable with the latest patches. 2. Apply the security patches from the NixOS repository. 3. Reboot the system to ensure changes take effect.
🔧 Temporary Workarounds
Disable shutdownRamfs
linuxDisables the vulnerable shutdown ramfs feature that allows user programs to execute during shutdown
Add 'systemd.shutdownRamfs.enable = false;' to your NixOS configuration
🧯 If You Can't Patch
- Implement strict access controls to limit local user accounts
- Monitor for suspicious shutdown-related file creation and execution
🔍 How to Verify
Check if Vulnerable:
Check if systemd.shutdownRamfs.enable is set to true in your NixOS configurationCheck Version:
nixos-versionVerify Fix Applied:
Verify NixOS version is 24.11 or 25.05/unstable with security patches applied and check that systemd.shutdownRamfs.enable is either false or the system is patched📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in shutdown directories
- Suspicious processes running as root during shutdown
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
Search for process execution events during shutdown with unusual parent processes or command lines