What is CVE-2025-68803?

CVE-2025-68803 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.10.220 onward and patched in 5.10.248, 5.15.198, 6.1.160 and others. CVE-2025-68803 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-68803?

CVE-2025-68803 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-68803?

Yes, CVE-2025-68803 has been patched. Fixed versions include 5.10.248, 5.15.198, 6.1.160 and others. If you are running Linux kernel 5.10.220 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-68803 actively exploited?

CVE-2025-68803 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-68803

In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.

Package Linux Kernel

Published 2026-01-13

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.10.220, 5.15.154, 6.0 and later are affected. Fixed in 5.10.248, 5.15.198, 6.1.160, 6.6.121, 6.12.64, 6.18.3, 6.19 and their respective stable series.

Affected from

≥ 5.10.220 ≥ 5.15.154 ≥ 6.0

Fixed in

✓ 5.10.248 5.10.x ✓ 5.15.198 5.15.x ✓ 6.1.160 6.1.x ✓ 6.6.121 6.6.x ✓ 6.12.64 6.12.x ✓ 6.18.3 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-68803 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192
Patch
Kernel patch commit
https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862
Patch
Kernel patch commit
https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1
Patch

7 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-68803?

CVE-2025-68803 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.10.220 onward and has been patched in 5.10.248, 5.15.198, 6.1.160 and others. CVE-2025-68803 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-68803?

Yes — CVE-2025-68803 has been patched. Fixed versions include 5.10.248, 5.15.198, 6.1.160 and others. If you are running Linux kernel 5.10.220 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-68803 actively exploited?

No — CVE-2025-68803 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.