2413081 – (CVE-2025-12801) CVE-2025-12801 nfs-utils: rpc.mountd in the nfs-utils privilege escalation

Bug 2413081 (CVE-2025-12801) - CVE-2025-12801 nfs-utils: rpc.mountd in the nfs-utils privilege escalation [NEEDINFO]

Summary: CVE-2025-12801 nfs-utils: rpc.mountd in the nfs-utils privilege escalation

Keywords:
Status:	NEW
Alias:	CVE-2025-12801
Deadline:	2026-03-04
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-06 12:19 UTC by OSIDB Bzimport
Modified:	2026-03-06 06:43 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	carnil: needinfo? (prodsec-dev)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:3938	None	None	None	2026-03-05 18:53:22 UTC
Red Hat Product Errata	RHSA-2026:3939	None	None	None	2026-03-05 18:40:17 UTC
Red Hat Product Errata	RHSA-2026:3940	None	None	None	2026-03-05 18:54:49 UTC
Red Hat Product Errata	RHSA-2026:3941	None	None	None	2026-03-05 19:08:41 UTC
Red Hat Product Errata	RHSA-2026:3942	None	None	None	2026-03-05 19:04:34 UTC

Description OSIDB Bzimport 2025-11-06 12:19:04 UTC

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Comment 2 errata-xmlrpc 2026-03-05 18:40:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:3939 https://access.redhat.com/errata/RHSA-2026:3939

Comment 3 errata-xmlrpc 2026-03-05 18:53:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3938 https://access.redhat.com/errata/RHSA-2026:3938

Comment 4 errata-xmlrpc 2026-03-05 18:54:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3940 https://access.redhat.com/errata/RHSA-2026:3940

Comment 5 errata-xmlrpc 2026-03-05 19:04:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:3942 https://access.redhat.com/errata/RHSA-2026:3942

Comment 6 errata-xmlrpc 2026-03-05 19:08:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3941 https://access.redhat.com/errata/RHSA-2026:3941

Comment 7 Salvatore Bonaccorso 2026-03-06 06:43:54 UTC

Hi

Can you please provide references to the upstream commit fixing this issue?

Regards,
Salvatore

Note You need to log in before you can comment on or make changes to this bug.