CVE-2025-12801

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:3938	Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3939	Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3940	Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3941	Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3942	Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:5127
https://access.redhat.com/errata/RHSA-2026:5606
https://access.redhat.com/security/cve/CVE-2025-12801	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2413081	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*

Configuration 2 (hide)

cpe:2.3:a:linux-nfs:nfs-utils:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-04 16:16

Updated : 2026-03-25 05:16

NVD link : CVE-2025-12801

Mitre link : CVE-2025-12801

CVE.ORG link : CVE-2025-12801

JSON object : View

Products Affected

redhat

openshift_container_platform
enterprise_linux

linux-nfs

nfs-utils

CWE

CWE-279

Incorrect Execution-Assigned Permissions

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-12801", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-04T16:16:23.900", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:3938", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3939", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3940", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3941", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3942", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:5127", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2026:5606", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-12801", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413081", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-279"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the\nprivileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client."}, {"lang": "es", "value": "Una vulnerabilidad fue descubierta recientemente en el demonio rpc.mountd del paquete nfs-utils para Linux, que permite a un cliente NFSv3 escalar los privilegios asignados a \u00e9l en el archivo /etc/exports en el momento del montaje. En particular, permite al cliente acceder a cualquier subdirectorio o sub\u00e1rbol de un directorio exportado, independientemente de los permisos de archivo establecidos, e independientemente de cualquier atributo 'root_squash' o 'all_squash' que normalmente se esperar\u00eda que se aplicaran a ese cliente."}], "lastModified": "2026-03-25T05:16:24.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linux-nfs:nfs-utils:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FD2E9BF-0932-4362-923C-BC98473536C3"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}