VDB

DEBIAN-CVE-2025-12801

DEBIAN-CVE-2025-12801 PUBLISHED CVSS 6.5 MEDIUM

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Debian:13nfs-utils0, 0, 2.8.3-1
Debian:14nfs-utils0, *, 0
Debian:12nfs-utils1:2.8.4-1, 1:2.8.4-2, 1:2.8.5-1
Debian:11nfs-utils*, 0, 1:1.3.4-6

Timeline

  • Mar 4, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›