{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T05:58:14.446","vulnerabilities":[{"cve":{"id":"CVE-2025-68803","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-13T16:16:02.377","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file's\nmode bits rather than returning the originally-specified ACL."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nNFSD: la creación de archivos NFSv4 omite establecer la ACL\n\nUn cliente NFSv4 que establece una ACL con un principal nombrado durante la creación del archivo recupera la ACL después, y encuentra que es solo una ACL predeterminada (basada en los bits de modo) y no la ACL que fue solicitada durante la creación del archivo. Esto viola la sección 6.4.1.3 de RFC 8881: 'el atributo ACL se establece tal como se proporciona'.\n\nEl problema ocurre en nfsd_create_setattr(), que llama a nfsd_attrs_valid() para determinar si llamar a nfsd_setattr(). Sin embargo, nfsd_attrs_valid() verifica solo los cambios de iattr y las etiquetas de seguridad, pero no las ACL de POSIX. Cuando solo una ACL está presente, la función devuelve falso, nfsd_setattr() es omitida, y la ACL de POSIX nunca se aplica al inodo.\n\nPosteriormente, cuando el cliente recupera la ACL, el servidor no encuentra ninguna ACL de POSIX en el inodo y devuelve una generada a partir de los bits de modo del archivo en lugar de devolver la ACL especificada originalmente."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}