In the Linux kernel, the following vulnerability has been resolved:
9p: fix access mode flags being ORed instead of replaced
Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fsapplyoptions() applies parsed mount flags with |= onto flags already set by v9fssessioninit(). For 9P2000.L, sessioninit sets V9FSACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode.
This causes v9fsfidlookup() to fall through to the default switch case, using INVALIDUID (nobody/65534) instead of currentfsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations.
Fix by clearing the access mask before applying the user's choice.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52906.json"
}