CVE-2026-52906

Source
https://cve.org/CVERecord?id=CVE-2026-52906
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52906.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-52906
Downstream
Related
Published
2026-06-09T12:36:03.521Z
Modified
2026-06-18T03:55:35.899338570Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
9p: fix access mode flags being ORed instead of replaced
Details

In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fsapplyoptions() applies parsed mount flags with |= onto flags already set by v9fssessioninit(). For 9P2000.L, sessioninit sets V9FSACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode.

This causes v9fsfidlookup() to fall through to the default switch case, using INVALIDUID (nobody/65534) instead of currentfsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations.

Fix by clearing the access mask before applying the user's choice.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52906.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1f3e4142c0eb178089ea0cbc97506a061470ad27
Fixed
b8f037e87a083291190204b959cda417aaf01058
Fixed
da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52906.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-52906.json"