HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-52906Published Modified CNA Linux

CVE-2026-52906: 9p: fix access mode flags being ORed instead of replaced

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege mismatch bug in the Linux kernel's 9P filesystem client causes access mode flags to be combined with a bitwise OR instead of being replaced, corrupting the effective access mode for mounted 9P filesystems. The vulnerability is reachable locally without any authentication, because any user who can invoke a mount operation triggers the broken flag logic. Successful exploitation lets an attacker read and modify files they should not have access to on the affected 9P mount, because fid lookups fall back to INVALID_UID rather than the caller's real user ID. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52906 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel module package. No manual configuration is required for the match to run against images in connected registries and CI pipelines.

Available
Triage

HarborGuard scores this CVE at 7.7 HIGH using the published CVSS v3.1 vector and weights the finding against each customer environment's compliance policy to determine urgency and routing. Triage results are delivered to the inbox or ticketing integration configured for the affected workload's owner within each customer organization.

Available
Patch

A patched-image rebuild pinned to the fix commits (7.0.4 or 7.1-rc1) becomes available on HarborGuard once an image containing an affected kernel version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationNot required

    No credentials are required; any local user capable of triggering a 9P mount operation is sufficient to reach the vulnerable code path.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker exercises the vulnerability independently.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race condition, specific memory layout, or environmental dependency is required to trigger the flag corruption.

Blast Radius

  • An attacker reads files and directory contents on the affected 9P mount that the filesystem would otherwise restrict to other users or to root.
  • An attacker writes or modifies files on the 9P mount beyond their actual permission level, because fid lookups resolve to INVALID_UID instead of the caller's real user ID.
  • Privileged operations such as chown are denied to root, disrupting administrative control over the mounted filesystem and any workloads depending on correct ownership semantics.

How HarborGuard Handles This

Available on HarborGuard: images containing a Linux kernel package vulnerable to CVE-2026-52906 are flagged automatically within minutes of the CVE entering upstream feeds. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the corrected kernel version (fix commits 7.0.4 or 7.1-rc1), runs a regression test against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured owner inbox with CVSS scoring and policy context so the team can prioritize a manual rebuild. As a compensating control until the patch is applied, restricting 9P mount permissions to trusted users via Linux user-namespace policy or disabling 9P filesystem support in affected container images reduces the exposed surface.

See how HarborGuard automates this

Fix available

07.0.47.1-rc1b8f037e87a083291190204b959cda417aaf01058da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9
Affected packages
  • Linux / Linux
    < b8f037e87a083291190204b959cda417aaf01058 (from 1f3e4142c0eb178089ea0cbc97506a061470ad27) · < da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9 (from 1f3e4142c0eb178089ea0cbc97506a061470ad27)
  • Linux / Linux
    6.19
    Fixed in 0, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References