CVE-2025-12801

Name: CVE-2025-12801
Creator: NVD / NIST
Published: 2026-03-04T16:16:23.9+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.46%

Last modified Jun 25, 2026

CVE-2025-12801 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.. EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.46%

36.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Redhat	Openshift Container Platform	4.0
Redhat	Enterprise Linux	6.0
Redhat	Enterprise Linux	7.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux	10.0
Linux-Nfs	Nfs-Utils	All versions

References

https://access.redhat.com/errata/RHSA-2026:3938Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3939Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3940Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3941Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:3942Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:5127
https://access.redhat.com/errata/RHSA-2026:5606
https://access.redhat.com/errata/RHSA-2026:5867
https://access.redhat.com/errata/RHSA-2026:5873
https://access.redhat.com/errata/RHSA-2026:5877
https://access.redhat.com/security/cve/CVE-2025-12801Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2413081Issue Tracking, Third Party Advisory

Timeline

Published: Mar 4, 2026
Last Modified: Jun 25, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2025-12801?

How severe is CVE-2025-12801?

CVE-2025-12801 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.

How do I fix CVE-2025-12801?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-12801?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST