2486998 – (CVE-2026-52906) CVE-2026-52906 kernel: 9p: fix access mode flags being ORed instead of replaced

Bug 2486998 (CVE-2026-52906) - CVE-2026-52906 kernel: 9p: fix access mode flags being ORed instead of replaced

Summary: CVE-2026-52906 kernel: 9p: fix access mode flags being ORed instead of replaced

Keywords:
Status:	NEW
Alias:	CVE-2026-52906
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-09 14:01 UTC by OSIDB Bzimport
Modified:	2026-06-09 16:43 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-09 14:01:27 UTC

In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
"access=user", both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.

This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.

Fix by clearing the access mask before applying the user's choice.

Comment 1 Keith Grant 2026-06-09 16:41:57 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026060913-CVE-2026-52906-4464@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.