CVE-2024-46695: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46695 affects the Linux kernel's security subsystem, specifically the SELinux and Smack components. The vulnerability was discovered by Marek Gresko and disclosed in September 2024. The issue allows a root user on an NFS client to bypass root squashing protections and change security labels on files in an NFS filesystem that is exported with root squashing enabled (NVD, Kernel Patch).

The vulnerability stems from improper permission checks in the inodesetsecctx hook implementation. The issue occurs because nfsdsetattr() uses _vfssetxattrnoperm() which bypasses some permission checks that would normally be performed by securityinodesetxattr() and related LSM hooks. While nfsdsetattr() does perform some permission checking via fhverify() and nfsdpermission(), these checks are not as comprehensive as the full LSM hook checks (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 4.4 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows a root user on an NFS client to modify security labels on files in an NFS filesystem, even when root squashing is enabled. This bypasses intended security restrictions and could lead to privilege escalation or unauthorized access to protected resources (NVD).

The vulnerability has been fixed by replacing the call to vfssetxattrnoperm() with vfssetxattrlocked() in the SELinux and Smack security modules. This change ensures proper permission checking and also improves NFS delegation handling. The fix has been included in various Linux distributions through security updates (Red Hat).