Security Advisory: Local privilege escalation in make-initrd-ng (CVE-2025-32438)

Summary

From the report:

An unprivileged process with filesystem access can become root during system shutdown

A local attacker can write to /run/initramfs, because the directory permissions are unsafe. The systemd-shutdown binary becomes PID 1 whenever the systemd poweroff, halt, reboot, or kexec target is reached. It then makes /run/initramfs the root file system and executes /shutdown, which further executes other programs in the shutdown tmpfs (aka exitrd). These programs are executed with full privileges, and the original root file system is mounted at /oldroot.

Am I affected?

Every NixOS configuration with systemd.shutdownRamfs.enable enabled. This is the default for all NixOS installations, introduced during the NixOS 22.05 development cycle (30a00c2, 69d8047).

Patches

Patches were provided for NixOS 24.11 and Unstable. Older releases are not supported.

• NixOS unstable: make-initrd-ng: Restore stripped file permissions by ElvishJerricco · Pull Request #398396 · NixOS/nixpkgs · GitHub
• NixOS 24.11: Backport #398396: make-initrd-ng: Restore stripped file permissions by ElvishJerricco · Pull Request #398397 · NixOS/nixpkgs · GitHub

Workaround

Disable systemd.shutdownRamfs.enable by setting it to false.

Acknowledgement

Two similar issues were reported by @sudoBash4218 to the NixOS security team on 2025-03-30 and 2025-04-01. They included a root cause analysis, suggestions on how to patch these issues and a PoC exploit.

For anyone interested, I wrote a blog post about how I found the vulnerabilities: https://blog.sb418.net/finding-a-pair-of-nixos-lpes/

Any rough estimate of when this will make to nixos-24.11?

The channel appears to be stuck at the moment.

It is rebuilding world due a Perl security update. With 55k builds remaining it should complete in less than 72 hours.

What are the practical consequences of systemd.shutdownRamfs.enable = false;? All I’ve been able to find so far are vague descriptions of what this gadget is intended to be used for in principle; can anyone explain what one gives up by disabling it?

If your rootfs is mounted by a daemon (e.g. NFS or FUSE) in the initrd you need the exitrd for cleaning up resources.

Else it’s completely unnecessary. I would think we could even default to not enabling it at all.

Good news, nixos-24.11 is about to advance in a few minutes.