CVE-2026-52906 – 9p: fix access mode flags being ORed instead of replaced

CVE ID :CVE-2026-52906

Published : June 9, 2026, 2:16 p.m. | 19 minutes ago

Description :In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb (“9p: convert to the new mount API”),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
“access=user”, both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.

This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.

Fix by clearing the access mask before applying the user’s choice.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…