Skip to content
Tech News
← Back to articles

Non-determinism is an issue with patching CVEs

2026-05-08 | original
read original get Cybersecurity Patch Management Kit → more articles
Why This Matters

The rise of AI-driven vulnerability discovery accelerates the identification of CVEs, highlighting the need for more robust dependency management systems. Traditional methods struggle to keep pace with the increasing volume and complexity of CVEs, especially in diverse environments. Implementing systems like Flox and Nix can help organizations verify dependencies at build time, reducing manual effort and improving security posture.

Key Takeaways

Even before Claude Mythos was announced, there were clear signs that the next era of CVEs would be found by AI models. Big Sleep found a zero-day vulnerability in SQLite, Microsoft Copilot found 20+ CVEs in bootloaders, and DARPA launched AIxCC to incentivize AI CVE discovery.

Now, with models like Claude Mythos emerging, there are two major takeaways: we'll see a rapid acceleration in the rate of CVEs as AI models improve, and we'll detect more CVEs that have persisted through versions, evading researchers for decades.

One of the trickiest categories is package CVEs. Most organizations don't have an up-to-date manifest of every package in their stack. System-level package managers like dnf , apt , and zypper , or toolchain package managers like pip , npm , and cargo , resolve package versions that vary across platforms, environments, and time. To feel confident that a vulnerable dependency isn't being used, organizations have to manually scan their entire stack. Couple that with ever-increasing number of CVEs, and the problem quickly becomes unmanageable.

This explosion of CVEs should encourage developers to embrace a system of record for their installed packages. It’s why we built Flox: an open source system for platform and devEx teams to centrally manage environments from development to production. Flox is made possible by Nix, a declarative package manager with a cryptographically verifiable dependency graph. Together, Flox and Nix flip the model: Instead of discovering vulnerable packages via after-the-fact scans, every dependency is verifiable at build time and can be traced by Flox’s system of record.

With traditional package managers, CVE triage scales with the number of artifacts, images, hosts, or runtime environments you run. If you have n deployments, you generally need to analyze each one, because there's no reliable way to prove two environments contain exactly the same dependencies.

In Big O terms, that's O(n) work, and most of it is redundant.

Nix changes what you analyze. Every Nix or Flox environment resolves to the complete, transitive set of packages and build inputs used to produce it. In the argot of Nix, this is called a "closure." Closures are input-addressed, so if two environments resolve to the same Nix store path, they can be treated as the same unit for CVE triage; you need not inspect both independently to prove that their dependency sets match.

This turns triage into a deduplication problem. If your n environments share only u distinct dependency sets, the expensive work (like checking which packages are affected or validating a patch) runs once per dependency set instead of once per environment. If for example 500 environments collapse to 50 unique dependency sets, then the triage work isn't "scan 500 things." It is more akin to:

Map each environment to its dependency set.

Group environments with the same dependency set.

... continue reading

Explore topics: cve sqlite microsoft copilot darpa nix
Related:
Dirty Frag: Universal Linux LPE
The React2Shell Story
Pentagon Think Tank Tests Ingenious Plan to Protect Coasts From Hurricanes—and It’s Working
CISA gives feds four days to patch Ivanti flaw exploited as zero-day
GNU IFUNC is the real culprit behind CVE-2024-3094

© 2026 GoKawiil

About | Editorial Policy | Contact