CVE-2025-68803
Published: Jan 13, 2026
Modified: May 23, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected c5409ce523af40d5c3019717bc5b4f72038d48be - < c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3daffected d52acd23a327cada5fb597591267cfc09f08bb1d - < 75f91534f9acdfef77f8fa094313b7806f801725affected c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b - < 60dbdef2ebc2317266a385e4debdb1bb0e57afe1affected c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b - < 381261f24f4e4b41521c0e5ef5cc0b9a786a9862affected c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b - < bf4e671c651534a307ab2fabba4926116beef8c3+4 more versions |
Linux | Linux | affected 6.0unaffected 0 - < 6.0unaffected 5.10.248 - <= 5.10.*unaffected 5.15.198 - <= 5.15.*unaffected 6.1.160 - <= 6.1.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now