CVE-2025-68803 | NFSD: NFSv4 file creation neglects setting ACL

In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.

Published: 2026-01-13 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-68803 is rated Low Risk (7/100): low exploitation likelihood (EPSS 0.17%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-68803

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.04%	0.17%	+0.13%
2	2026-06-11	0.06%	0.04%	-0.02%
3	2026-02-18	—	0.06%	—

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-68803

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-68803

OS Trackers for CVE-2025-68803

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-68803 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-68803
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-68803
`suse`	medium	CVE-2025-68803 severity moderate: SUSE including 385 source package names (13.2-9.1:libsqlite3-0-3.49.1-1.1, 2.1.3-6.115:kernel-default-base-6.4.0-39.1.21.16, …), 632 product×package rows across 81 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (81 product lines)): Fixed 277, Known Affected 231, Known Not Affected 99, First Fixed 25.	https://www.suse.com/security/cve/CVE-2025-68803/
`ubuntu`	medium	CVE-2025-68803 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 179, released 119, not-affected 46, needed 34, pending 17.	https://ubuntu.com/security/CVE-2025-68803

Affected software / configurations for CVE-2025-68803

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-68803

URL	Tags
https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192
https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862
https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1
https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725
https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562
https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3
https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d

cvelogic Threat Intelligence