CVE-2024-46695 Overview
CVE-2024-46695 is a Linux kernel vulnerability in the SELinux and Smack Linux Security Module (LSM) inode_setsecctx hook. The flaw allows a root user on a Network File System (NFS) client to change security labels on files exported with root squashing enabled. The nfsd_setattr() path called __vfs_setxattr_noperm(), which bypasses the LSM permission checks normally performed by security_inode_setxattr(). This permits modification of file security contexts that should otherwise be denied. The issue affects Linux kernel versions through 6.11-rc5 [CWE-276: Incorrect Default Permissions].
Critical Impact
A privileged local user on an NFS client can modify SELinux or Smack security labels on exported files, bypassing root squashing protections and altering Mandatory Access Control (MAC) policy enforcement on the server.
Affected Products
- Linux kernel stable branches prior to the fix commits
- Linux kernel 6.11-rc1 through 6.11-rc5
- Debian distributions referenced in the January 2025 and March 2025 LTS advisories
Discovery Timeline
- 2024-09-13 - CVE-2024-46695 published to the National Vulnerability Database (NVD)
- 2025-11-03 - Last updated in the NVD database
Technical Details for CVE-2024-46695
Vulnerability Analysis
The vulnerability resides in the kernel's LSM integration with the NFS server (nfsd) subsystem. When an NFS client issues a request to set a file's security context, nfsd_setattr() invokes the security_inode_setsecctx() LSM hook. Both SELinux and Smack implement this hook by calling __vfs_setxattr_noperm(), which intentionally skips permission checks and expects the caller to enforce them.
While nfsd_setattr() performs NFS-layer access checks through fh_verify() and nfsd_permission(), these checks do not cover the additional MAC validations enforced by security_inode_setxattr() and its associated LSM hooks. As a result, a user with mapped root privileges on the NFS client can rewrite labels such as security.selinux on server-side inodes, undermining policy decisions on the server.
Root Cause
The root cause is a missing permission check in the inode_setsecctx hook implementations for SELinux and Smack. The kerneldoc for __vfs_setxattr_noperm() explicitly states that callers are responsible for performing permission checks, but nfsd_setattr() relied solely on NFS-layer checks. This omission allows the LSM-enforced restrictions on extended attribute modification to be bypassed entirely on the NFS server side, even when root squashing is configured on the export.
Attack Vector
Exploitation requires local access to an NFS client mounting an export from a vulnerable Linux server. The attacker must hold root on the client. Despite root squashing remapping the client's UID to an unprivileged identity on the server, the attacker can still issue setxattr operations targeting the security.* namespace. The server processes the request through nfsd_setattr(), which routes it to the unchecked LSM hook and applies the label change.
The upstream fix replaces the call to __vfs_setxattr_noperm() with __vfs_setxattr_locked(). The locked variant performs the full permission and LSM checks and also causes nfsd to recall conflicting NFSv4 delegations when a client modifies a label.
No public proof-of-concept exploit code has been released. See the Kernel Commit f71ec019257b and the Kernel Commit 459584258d47 for the fix details.
Detection Methods for CVE-2024-46695
Indicators of Compromise
- Unexpected changes to extended attributes in the security.selinux or security.SMACK64 namespaces on NFS-exported files.
- NFS SETATTR operations originating from clients targeting security label attributes on root-squashed exports.
- Audit records showing successful setxattr operations on inodes whose owners and modes should not permit such changes.
Detection Strategies
- Enable Linux Audit (auditd) rules on the NFS server for setxattr, lsetxattr, and fsetxattr syscalls targeting the security.* namespace.
- Compare current SELinux file contexts against the policy baseline using restorecon -n -v to identify labels that drift from expected values.
- Correlate NFS server logs and audit trails to flag label modifications attributable to remapped (squashed) root accounts.
Monitoring Recommendations
- Centralize kernel, audit, and NFS server logs to a Security Information and Event Management (SIEM) platform for correlation and retention.
- Establish a baseline of SELinux and Smack label distributions on exported file systems and alert on unexpected deviations.
- Track Linux kernel package versions across the fleet to identify hosts still running pre-fix kernels.
How to Mitigate CVE-2024-46695
Immediate Actions Required
- Upgrade the Linux kernel on all NFS servers to a version containing the upstream fixes referenced in the kernel.org stable commits.
- For Debian systems, apply the updates described in the Debian LTS Announcement January 2025 and the Debian LTS Announcement March 2025.
- Audit existing SELinux and Smack labels on NFS exports to detect prior tampering and restore correct contexts where needed.
Patch Information
The fix replaces __vfs_setxattr_noperm() with __vfs_setxattr_locked() in the SELinux and Smack inode_setsecctx hook implementations, ensuring LSM permission checks run on the server. Patches are available in the kernel.org stable tree, including commits f71ec019257b, 459584258d47, and 76a0e79bc84f.
Workarounds
- Restrict NFS exports to trusted clients only and disable exports to hosts with untrusted local administrators.
- Where feasible, mount affected exports with options that disable extended attribute modification by clients.
- Limit which clients can reach the NFS server using host-based firewalls and the /etc/exports allow lists until patches are applied.
# Verify the running kernel version on an NFS server
uname -r
# Audit setxattr operations on the security namespace (run on NFS server)
auditctl -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -k sec_xattr
# Review current SELinux labels on an exported path against policy
restorecon -n -v -R /srv/nfs/export
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
