CVE-2025-68803
Description
In the Linux kernel, the following vulnerability has been resolved:
NFSD: NFSv4 file creation neglects setting ACL
An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NFSD in the Linux kernel fails to apply POSIX ACLs during NFSv4 file creation, violating RFC 8881 and returning a mode-based ACL instead.
Root
Cause
In the Linux kernel's NFS server (NFSD), the function nfsd_create_setattr() is responsible for applying attributes during NFSv4 file creation. It calls nfsd_attrs_valid() to decide whether to invoke nfsd_setattr(). However, nfsd_attrs_valid() only checks for iattr changes and security labels, not for POSIX ACLs. When a client creates a file with only an ACL (no other attribute changes), the function returns false, causing nfsd_setattr() to be skipped. Consequently, the requested POSIX ACL is never applied to the inode [1].
Exploitation
An NFSv4 client that sets an ACL containing a named principal during file creation will later retrieve the ACL and find only a default ACL derived from the file's mode bits, not the ACL that was originally specified. This behavior violates RFC 8881 section 6. No special privileges are required beyond the ability to create files with ACLs; the attack surface is the NFS server's handling of create operations [1].
Impact
The impact is a violation of the NFSv4 protocol specification: the server does not honor the ACL attribute set during file creation. Clients expecting fine-grained access control via ACLs may experience incorrect permissions, potentially leading to unintended access or denial of service. The server returns a mode-based ACL instead of the intended one [1].
Mitigation
The fix is included in Linux kernel stable updates. The commit 381261f24f4e (and backport c182e1e0b76) modifies nfsd_attrs_valid() to also check for POSIX ACL changes, ensuring that nfsd_setattr() is called when an ACL is present. Administrators should apply the latest kernel updates from their distribution [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192nvd
- git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862nvd
- git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1nvd
- git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725nvd
- git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562nvd
- git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3nvd
- git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3dnvd
News mentions
0No linked articles in our index yet.