CVE-2025-68803

NONE EPSS 6.9%
Published Jan 13, 20265mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Jan 13, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.

Threat Intelligence

EPSS Exploit Probability
6.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 7

  • git.kernel.org https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192
  • git.kernel.org https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862
  • git.kernel.org https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1
  • git.kernel.org https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725
  • git.kernel.org https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562
  • git.kernel.org https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3
  • git.kernel.org https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.