• Incident Summary: An incident was mitigated. A post will be updated with closure pointers. The Lix team is available for support. A postmortem will be published on complete closure. The fix for CVE-2025-52992 introduced a critical regression affecting derivation builds, causing missing or invalid store paths and system instability.
• Affected and Non-Affected Versions: Affected versions are Lix 2.91.2, 2.92.2, 2.93.1. Non-affected versions are Lix 2.91.3, 2.92.3, 2.93.2. The problem has been witnessed on Linux and may occur on Darwin.
• What to Do Now: Stop the Nix garbage collector and daemon. Download a static Nix binary. Do not run nix-store --delete --ignore-liveness.
• Recovery Steps: Check the system's store with NIX_REMOTE=local /path/to/static-nix/bin/nix-store --verify --repair. Recover a missing path with NIX_REMOTE=local /path/to/static-nix/bin/nix-store --repair -r /nix/store/xxxx-path. Rebuild the system with either NIX_REMOTE=local /path/to/static-nix/nix-build -E 'import <nixpkgs/nixos> {}' -A system or NIX_REMOTE=local /path/to/static-nix/nix --experimental-features 'nix-command flakes' build /path/to/nixos/flake#nixosConfigurations.myhostname.config.system.build.toplevel.
• Remediation Options: Patch Nixpkgs for existing remediation, update to a new minor of Lix using lix-project/nixos-module, or roll back to the previous (vulnerable) version.
• If System is Broken: Boot into a live ISO with a working Nix, mount the root disk, and use nix-store --verify --repair. Reboot and follow previous steps.
• How to Apply/Revert Patches: Provide pointers on using fetchpatch, overrideAttrs, overlays-definition, and Nixpkgs/Patching_Nixpkgs.
• Timeline: Various events and timestamps related to the incident, including CVE embargo lift, issue reporting, investigation, and release process steps.

In summary, this incident involves a regression in Lix that affects system stability. Users are advised to take specific actions to recover and prevent further issues, and there are multiple remediation options available.