CVE-2025-68803
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-68803, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-19

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-19
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's NFS server (NFSD) affects NFSv4 file creation when an ACL (Access Control List) with a named principal is set. During file creation, the requested ACL is not properly applied because the function responsible for validating attributes does not recognize POSIX ACL changes. As a result, the ACL is never set on the file, and when the client retrieves the ACL, it only sees a default ACL derived from the file's mode bits, not the originally requested ACL. This behavior violates RFC 8881 section 6.4.1.3, which requires the ACL attribute to be set as given.

Impact Analysis

This vulnerability can lead to incorrect file permissions being applied on files created via NFSv4, as the intended ACLs are not set. This may cause security issues such as unauthorized access or denial of access because the actual permissions differ from what the client requested. It undermines the expected access control enforcement on files created over NFSv4.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart