Description
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
Published: 2026-03-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation by NFSv3 clients
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the rpc.mountd daemon of the nfs-utils package allows an NFSv3 client to bypass the permissions defined in the /etc/exports file during mount time. The flaw lets the client access any subdirectory or subtree of an exported directory regardless of traditional security safeguards such as file permissions, root_squash, or all_squash attributes. This leads to unauthorized read or write access to files and directories that the client should not be able to reach, effectively elevating the client's privileges on the NFS server.

Affected Systems

Red Hat Ceph Storage 8, Red Hat Enterprise Linux 6, 7, 8, 9, and 10, as well as the Extended Update Support releases 9.4 and 9.6, and Red Hat OpenShift Container Platform versions 4.16 through 4.19 are affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score is less than 1 percent, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote NFSv3 client that can mount an exported file system from the vulnerable server; by connecting from an untrusted or compromised machine, an attacker can gain unauthorized access to sensitive resources on the server.

Generated by OpenCVE AI on April 27, 2026 at 20:05 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat errata releases (RHSA-2026:3938 through RHSA-2026:5877) that contain the patch for the nfs-utils privilege escalation flaw.
  • After updating, re‑examine and enforce root_squash or all_squash settings in /etc/exports to limit client permissions as a precautionary measure.
  • If a patch is unavailable or cannot be applied, block or restrict NFSv3 traffic from untrusted networks using firewall rules or by disabling rpc.mountd for those clients.

Generated by OpenCVE AI on April 27, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.16::el9
References

Wed, 01 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.19::el9
References

Wed, 01 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.17::el9
References

Wed, 25 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift:4.18::el9
References

Tue, 24 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ceph Storage
CPEs cpe:/a:redhat:ceph_storage:8::el9
Vendors & Products Redhat ceph Storage
References

Mon, 09 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux-nfs
Linux-nfs nfs-utils
Weaknesses CWE-732
CPEs cpe:2.3:a:linux-nfs:nfs-utils:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Linux-nfs
Linux-nfs nfs-utils

Fri, 06 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/o:redhat:enterprise_linux:10.1
cpe:/o:redhat:rhel_eus:9.4::baseos
References

Fri, 06 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
cpe:/o:redhat:rhel_eus:9.6::baseos
Vendors & Products Redhat rhel Eus
References

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/o:redhat:enterprise_linux:9::baseos
References

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::crb
cpe:/o:redhat:enterprise_linux:8::baseos
References

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat nfs Utils
Redhat openshift Container Platform
Vendors & Products Redhat nfs Utils
Redhat openshift Container Platform

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
Title Nfs-utils: rpc.mountd in the nfs-utils privilege escalation
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-279
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Linux-nfs Nfs-utils
Redhat Ceph Storage Enterprise Linux Nfs Utils Openshift Openshift Container Platform Rhel Eus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T14:11:43.300Z

Reserved: 2025-11-06T12:17:26.749Z

Link: CVE-2025-12801

cve-icon Vulnrichment

Updated: 2026-03-04T16:16:13.021Z

cve-icon NVD

Status : Modified

Published: 2026-03-04T16:16:23.900

Modified: 2026-04-02T15:16:22.833

Link: CVE-2025-12801

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-04T15:06:00Z

Links: CVE-2025-12801 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses