GHSA-4vm9-m655-vqf4HighCVSS 7.7

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags...

Published
June 9, 2026
Last Modified
June 14, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode.

This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations.

Fix by clearing the access mask before applying the user's choice.

🔗 References (4)