NFSv3 rpc.mountd Privilege Escalation via Directory Bypass (CVE-2025-12801)
CVE-2025-12801 Published on March 4, 2026
Nfs-utils: rpc.mountd in the nfs-utils privilege escalation
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
Vulnerability Analysis
CVE-2025-12801 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public. 118 days later.
Weakness Type
Incorrect Execution-Assigned Permissions
While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
Products Associated with CVE-2025-12801
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat Enterprise Linux 10:- Version 1:2.8.3-0.el10_1.3 and below * is unaffected.
- Version 1:2.3.3-68.el8_10 and below * is unaffected.
- Version 1:2.5.4-38.el9_7.3 and below * is unaffected.
- Version 1:2.5.4-38.el9_7.3 and below * is unaffected.
- Version 1:2.5.4-26.el9_4.3 and below * is unaffected.
- Version 1:2.5.4-34.el9_6.3 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.