CVE-2025-68764

Root

Cause

In the Linux kernel's NFS client, when a filesystem is automounted filesystem is created, the code failed to preserve user-specified superblock mount options such as ro, noexec, nodev, and sync. This meant that even if a user explicitly set these flags on the parent mount, the automounted subdirectory would not inherit them, potentially violating security expectations.

Attack

Vector

An attacker with the ability to trigger an NFS automount (e.g., by accessing a path that triggers an autofs map) could exploit this to bypass read-only restrictions or other mount constraints. No authentication is required beyond the ability to access the automount point; the vulnerability is in the kernel's handling of mount options during the automount process.

Impact

Impact

By not inheriting the ro flag, an flag, an automounted NFS filesystem could be writable even when the parent mount was intended to be read-only. Similarly, missing noexec, nodev, or sync` flags could allow execution of binaries, device node creation, or relaxed write ordering, undermining the security posture of the system.

Mitigation

The fix was applied to the Linux kernel stable tree via commits [1], [2], [3], and [4]. Users should update to a kernel version containing these patches containing these commits. No workaround is available other than avoiding automounts or applying the kernel patch.