Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-12801

CVE-2025-12801: Red Hat OpenShift Privilege Escalation

CVE-2025-12801 is a privilege escalation flaw in Red Hat OpenShift Container Platform affecting the rpc.mountd daemon. NFSv3 clients can bypass export restrictions and access controls to gain unauthorized privileges.

Updated:

CVE-2025-12801 Overview

CVE-2025-12801 is a privilege escalation vulnerability in the rpc.mountd daemon shipped with the nfs-utils package for Linux. The flaw allows an NFSv3 client to escalate the access privileges assigned to it in the /etc/exports file at mount time. An authenticated client can reach any subdirectory or subtree of an exported directory, regardless of the file permissions configured on the server. The vulnerability also bypasses the root_squash and all_squash export attributes that administrators rely on to constrain remote root identities. Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4 are affected, alongside the upstream linux-nfs/nfs-utils project.

Critical Impact

An NFSv3 client with legitimate mount access can read sensitive files across an entire exported volume and circumvent UID squashing controls, exposing data that administrators expected to be isolated.

Affected Products

  • Red Hat Enterprise Linux 6, 7, 8, 9, and 10
  • Red Hat OpenShift Container Platform 4
  • Upstream linux-nfsnfs-utils package

Discovery Timeline

  • 2026-03-04 - CVE-2025-12801 published to the National Vulnerability Database
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2025-12801

Vulnerability Analysis

The rpc.mountd daemon is responsible for handling MOUNT protocol requests in NFSv3 deployments. It consults /etc/exports to decide which subtrees a given client may mount and which export options apply, including UID remapping flags such as root_squash and all_squash. CVE-2025-12801 stems from improper enforcement of those per-export attributes at mount time, allowing a client to traverse beyond the boundaries that the export configuration was meant to impose. The weakness is tracked under CWE-279: Incorrect Execution-Assigned Permissions and CWE-732: Incorrect Permission Assignment for Critical Resource, reflecting both a privilege handling defect and a permission assignment defect in the daemon.

Root Cause

The daemon fails to fully apply the export options recorded in /etc/exports to the file handles it returns. Once the client receives a file handle, subsequent NFSv3 operations are not constrained by the intended subtree or squash policy. As a result, file system permission checks performed downstream operate against the unrestricted server-side identity rather than the squashed identity the administrator configured.

Attack Vector

The attacker must be an NFSv3 client authorized to mount at least one export from the target server. From that position, the client requests access to paths that the export policy was meant to restrict, including parent directories, sibling subtrees, and root-owned files. Because root_squash and all_squash are not enforced, requests issued as UID 0 on the client side are honored as privileged on the server side. The result is unauthorized read access to sensitive files such as configuration data, application secrets, and user home directories that live within the exported file system.

No verified public proof-of-concept code is available for this issue. Refer to Red Hat's CVE-2025-12801 advisory and Red Hat Bug Report #2413081 for technical detail.

Detection Methods for CVE-2025-12801

Indicators of Compromise

  • NFSv3 MOUNT requests from clients followed by access to paths outside the originally requested export subtree.
  • File reads on the NFS server attributed to UID 0 from clients that should have been remapped by root_squash or all_squash.
  • Unexpected access to sensitive files such as /etc/shadow, SSH keys, or application secrets located under exported file systems.

Detection Strategies

  • Audit rpc.mountd logs and kernel NFS server logs for mount attempts and subsequent file handle usage that crosses export boundaries.
  • Enable Linux audit rules (auditctl) on directories that sit outside exported subtrees but share the same file system, then alert on remote NFS-originated access.
  • Correlate NFS server activity with client IP allow-lists in /etc/exports to flag deviations from expected mount and access patterns.

Monitoring Recommendations

  • Forward rpc.mountd, nfsd, and auditd events to a centralized log platform and retain them for retrospective analysis.
  • Track package versions of nfs-utils across the fleet and alert on hosts running pre-patch builds after the Red Hat errata are published.
  • Monitor NFS traffic volume and access patterns per client to surface clients reading substantially more data than their workload requires.

How to Mitigate CVE-2025-12801

Immediate Actions Required

  • Apply the fixed nfs-utils packages from the relevant Red Hat Security Advisory RHSA-2026:3938 and the related errata RHSA-2026:3939 through RHSA-2026:5877 listed in the references.
  • Inventory all NFSv3 servers and restrict export client lists in /etc/exports to known, trusted hosts only.
  • Review exported directories for sensitive content that would be exposed if root_squash were bypassed, and relocate or unexport that content where possible.

Patch Information

Red Hat has issued multiple advisories that ship updated nfs-utils packages for RHEL 6 through 10 and OpenShift Container Platform 4. The complete advisory set is RHSA-2026:3938, RHSA-2026:3939, RHSA-2026:3940, RHSA-2026:3941, RHSA-2026:3942, RHSA-2026:5127, RHSA-2026:5606, RHSA-2026:5867, RHSA-2026:5873, and RHSA-2026:5877. Customers using the upstream linux-nfs/nfs-utils package should track the project for the corresponding fix and rebuild affected systems. See the Red Hat CVE-2025-12801 page for component-specific package versions.

Workarounds

  • Migrate exports to NFSv4, which uses a different access model and is not affected by the NFSv3-specific MOUNT protocol behavior described in this CVE.
  • Place sensitive data on file systems that are not exported, so that even a successful subtree escape cannot reach it.
  • Tighten host-based access controls with firewall rules limiting TCP/UDP ports 2049 and 20048 to trusted client networks until patches are applied.
bash
# Configuration example: limit exports and prefer NFSv4 until patched
# /etc/exports - restrict to specific hosts and apply squash explicitly
/srv/nfs/share   10.0.10.0/24(ro,root_squash,all_squash,sec=sys)

# /etc/nfs.conf - disable NFSv3 in favor of NFSv4 where possible
[nfsd]
vers3=n
vers4=y
vers4.1=y
vers4.2=y

# Apply changes
exportfs -ra
systemctl restart nfs-server

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne