Bug 2413081 (CVE-2025-12801)

Summary: CVE-2025-12801 nfs-utils: rpc.mountd in the nfs-utils privilege escalation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, mmilgram, prodsec-dev, security-response-team, smayhew, steved
Target Milestone: ---Keywords: Security
Target Release: ---Flags: carnil: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-03-04   

Description OSIDB Bzimport 2025-11-06 12:19:04 UTC 
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
Comment 2 errata-xmlrpc 2026-03-05 18:40:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:3939 https://access.redhat.com/errata/RHSA-2026:3939
Comment 3 errata-xmlrpc 2026-03-05 18:53:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3938 https://access.redhat.com/errata/RHSA-2026:3938
Comment 4 errata-xmlrpc 2026-03-05 18:54:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3940 https://access.redhat.com/errata/RHSA-2026:3940
Comment 5 errata-xmlrpc 2026-03-05 19:04:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:3942 https://access.redhat.com/errata/RHSA-2026:3942
Comment 6 errata-xmlrpc 2026-03-05 19:08:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3941 https://access.redhat.com/errata/RHSA-2026:3941
Comment 7 Salvatore Bonaccorso 2026-03-06 06:43:54 UTC 
Hi

Can you please provide references to the upstream commit fixing this issue?

Regards,
Salvatore
Comment 11 Salvatore Bonaccorso 2026-03-06 19:46:22 UTC 
There was this linux-nfs post: https://lore.kernel.org/linux-nfs/20260305155948.11261-1-steved@redhat.com/