Bug 2429068 (CVE-2025-68803) - CVE-2025-68803 kernel: NFSD: NFSv4 file creation neglects setting ACL
Summary: CVE-2025-68803 kernel: NFSD: NFSv4 file creation neglects setting ACL
Keywords:
Status: NEW
Alias: CVE-2025-68803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-13 16:04 UTC by OSIDB Bzimport
Modified: 2026-01-15 02:20 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-13 16:04:28 UTC 
In the Linux kernel, the following vulnerability has been resolved:

NFSD: NFSv4 file creation neglects setting ACL

An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".

The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.

Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Comment 1 Jon Moroney 2026-01-15 01:36:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011309-CVE-2025-68803-d897@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.