CVE-2026-52906
Received Received - Intake

9p Filesystem Access Mode Override in Linux Kernel

Vulnerability report for CVE-2026-52906, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-09

Last updated on: 2026-06-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-14
Generated
2026-07-07
AI Q&A
2026-06-10
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux kernel *
linux linux_kernel *
linux_kernel linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by clearing the access mask before applying the user's choice in the Linux kernel's 9p filesystem code.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix for this issue (post commit 1f3e4142c0eb).

Executive Summary

This vulnerability exists in the Linux kernel's 9p filesystem implementation. The issue arises because access mode flags are combined using a bitwise OR operation instead of being replaced. Specifically, when mounting with the option "access=user", both the default access mode flag and the user-specified flag are set simultaneously. Since access mode checks require exact matches, having both flags set causes the system to fail to recognize the correct access mode.

As a result, the function responsible for looking up file identifiers (v9fs_fid_lookup) defaults to using an invalid user ID (INVALID_UID) instead of the current user's ID. This prevents root from performing privileged operations like changing ownership (chown). The fix involves clearing the existing access mask before applying the user's chosen access mode.

Impact Analysis

This vulnerability can impact system administrators and users with root privileges by preventing them from performing certain privileged operations on the 9p filesystem, such as changing file ownership (chown). Because the system incorrectly uses an invalid user ID for file lookups, root-level actions may fail, potentially disrupting system management and file permission configurations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart