CVE-2026-52906

HIGH EPSS 2.2%
Published Jun 9, 20263w ago · Modified Jun 17, 20262w ago
7.7 CVSS 3.1
High
Find Similar
Published Jun 9, 2026 3w ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice.

CVSS Details

Base Score
7.7
Exploitability
2.5
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
2.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 2

  • git.kernel.org https://git.kernel.org/stable/c/b8f037e87a083291190204b959cda417aaf01058
  • git.kernel.org https://git.kernel.org/stable/c/da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.