Description
In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
"access=user", both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.

This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.

Fix by clearing the access mask before applying the user's choice.
Published: 2026-06-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel’s 9P filesystem when mount options are combined incorrectly. Access mode flags are ORed rather than replaced, so when a user mounts with "access=user" both the default client bit and the user bit become set. Because access checks require an exact match, neither mode is recognized, causing the system to fall back to an invalid user ID for all file ID lookups. As a result, root is unable to perform privileged operations such as chown or other activities that require root privileges. The flaw does not grant additional privileges to an attacker, but it breaks normal root functionality and can disrupt system administration.

Affected Systems

All Linux kernel deployments that have not yet incorporated the repository commit 1f3e4142c0eb and the subsequent fix commit. Systems running older kernel versions that support 9P mounts and may use the "access=user" option are affected.

Risk and Exploitability

The issue causes a denial of privileged operations for root but does not provide a direct attack path for privilege escalation or data compromise. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local, requiring the ability to mount a 9P filesystem with specific options. Because the flaw does not enable an attacker to gain elevated privileges or exfiltrate data, the overall risk to the system is low to moderate, primarily impacting root administrative work.

Generated by OpenCVE AI on June 10, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit 1f3e4142c0eb and the subsequent update that clears the access mask before applying user‑specified flags.
  • If an immediate upgrade is not possible, temporarily disable or restrict the use of 9P filesystem mounts, especially those using the "access=user" option, for all services until the kernel fix is applied.
  • After applying the kernel update, restart all services that rely on 9P to ensure the new mount behavior takes effect.
  • Verify that no lingering mount points are using incorrect access flags, and adjust any custom scripts accordingly.

Generated by OpenCVE AI on June 10, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References

Tue, 09 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-269

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice.
Title 9p: fix access mode flags being ORed instead of replaced
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-09T12:36:03.521Z

Reserved: 2026-06-09T07:44:35.366Z

Link: CVE-2026-52906

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T14:16:45.047

Modified: 2026-06-09T14:16:45.047

Link: CVE-2026-52906

cve-icon Redhat

Severity :

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-52906 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses