CVE-2009-1630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1630): The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.
No idea why this is not yet upstream.
http://lkml.org/lkml/2009/5/18/436