CVE-2026-52906
Description
Linux kernel 9p vulnerability allows incorrect access mode flags, preventing root operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel 9p vulnerability allows incorrect access mode flags, preventing root operations.
Vulnerability
In the Linux kernel's 9p (v9fs) filesystem implementation, a flaw exists in the v9fs_apply_options() function. Since commit 1f3e4142c0eb, mount flags are incorrectly ORed instead of being replaced. This leads to V9FS_ACCESS_CLIENT and user-specified access bits both being set, causing access mode checks in v9fs_fid_lookup() to fail. This affects versions of the Linux kernel where commit 1f3e4142c0eb is present and the described logic is active.
Exploitation
An attacker with the ability to mount a 9p filesystem with specific options, such as access=user, can trigger this vulnerability. The incorrect ORing of flags causes subsequent file operations, including chown, to use an invalid UID (nobody/65534) instead of the expected user's UID, effectively breaking privileged operations.
Impact
Successful exploitation prevents the root user from performing privileged operations like chown on files accessed through the affected 9p mount. This is due to the incorrect access mode flags causing lookups to fall back to using INVALID_UID.
Mitigation
The vulnerability has been resolved in the Linux kernel by clearing the access mask before applying user-specified options. The specific commit that fixes this is b8f037e87a083291190204b959cda417aaf01058 [1]. No workarounds are described in the available references, and no information regarding EOL status or KEV listing is present.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
4b8f037e87a089p: fix access mode flags being ORed instead of replaced
1 file changed · +4 −1
fs/9p/v9fs.c+4 −1 modifieddiff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index 057487efaaeb2..acda42499ca9e 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info *v9ses, /* * Note that we must |= flags here as session_init already * set basic flags. This adds in flags from parsed options. + * Default access flags must be cleared if session options + * changes them to avoid mangling the setting. */ + if (ctx->session_opts.flags & V9FS_ACCESS_MASK) + v9ses->flags &= ~V9FS_ACCESS_MASK; v9ses->flags |= ctx->session_opts.flags; #ifdef CONFIG_9P_FSCACHE v9ses->cachetag = ctx->session_opts.cachetag; -- cgit 1.3-korg
da2346a48a5a9p: fix access mode flags being ORed instead of replaced
1 file changed · +4 −1
fs/9p/v9fs.c+4 −1 modifieddiff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index 057487efaaeb2..acda42499ca9e 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info *v9ses, /* * Note that we must |= flags here as session_init already * set basic flags. This adds in flags from parsed options. + * Default access flags must be cleared if session options + * changes them to avoid mangling the setting. */ + if (ctx->session_opts.flags & V9FS_ACCESS_MASK) + v9ses->flags &= ~V9FS_ACCESS_MASK; v9ses->flags |= ctx->session_opts.flags; #ifdef CONFIG_9P_FSCACHE v9ses->cachetag = ctx->session_opts.cachetag; -- cgit 1.3-korg
b8f037e87a089p: fix access mode flags being ORed instead of replaced
1 file changed · +4 −1
fs/9p/v9fs.c+4 −1 modifieddiff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index 057487efaaeb2..acda42499ca9e 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info *v9ses, /* * Note that we must |= flags here as session_init already * set basic flags. This adds in flags from parsed options. + * Default access flags must be cleared if session options + * changes them to avoid mangling the setting. */ + if (ctx->session_opts.flags & V9FS_ACCESS_MASK) + v9ses->flags &= ~V9FS_ACCESS_MASK; v9ses->flags |= ctx->session_opts.flags; #ifdef CONFIG_9P_FSCACHE v9ses->cachetag = ctx->session_opts.cachetag; -- cgit 1.3-korg
da2346a48a5a9p: fix access mode flags being ORed instead of replaced
1 file changed · +4 −1
fs/9p/v9fs.c+4 −1 modifieddiff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index 057487efaaeb2..acda42499ca9e 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info *v9ses, /* * Note that we must |= flags here as session_init already * set basic flags. This adds in flags from parsed options. + * Default access flags must be cleared if session options + * changes them to avoid mangling the setting. */ + if (ctx->session_opts.flags & V9FS_ACCESS_MASK) + v9ses->flags &= ~V9FS_ACCESS_MASK; v9ses->flags |= ctx->session_opts.flags; #ifdef CONFIG_9P_FSCACHE v9ses->cachetag = ctx->session_opts.cachetag; -- cgit 1.3-korg
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8-9, 2026Vypr Intelligence · Jun 9, 2026