The nfs_permission function in fs/nfs/dir.c in the NFS client
implementation in the Linux kernel 126.96.36.199 and earlier, when
atomic_open is available, does not check execute (aka EXEC or
MAY_EXEC) permission bits, which allows local users to bypass
permissions and execute files, as demonstrated by files on an NFSv4
No idea why this is not yet upstream.