Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23241 is a vulnerability in the Linux kernel audit subsystem where certain new system calls were missing from the audit classes that monitor file operations.'}, {'type': 'paragraph', 'content': "Specifically, the 'at' variants of getxattr() and listxattr() system calls (getxattrat() and listxattrat()) were not included in the audit read class. This omission meant that when these system calls were used to read extended file attributes, such as SELinux labels or file capabilities, the audit system (auditd) did not generate alerts."}, {'type': 'paragraph', 'content': 'As a result, these system calls could bypass audit rules designed to monitor file reads, allowing stealthy operations to go undetected.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding the missing system calls to the audit read class in Linux kernel version 7.0 and backported to several long-term support versions.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing certain file operations to occur without being logged or detected by the Linux audit system.

Specifically, attackers or users with sufficient permissions could use the missing system calls to read extended file attributes or change file permissions stealthily, bypassing auditd monitoring.

This undermines the reliability of audit logs and security monitoring, potentially allowing unauthorized or malicious activities to go unnoticed.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves certain system calls (getxattrat() and listxattrat()) bypassing auditd monitoring due to their omission from audit read classes. To detect exploitation attempts, you should monitor audit logs for suspicious activity related to extended attribute reads and file permission changes.'}, {'type': 'paragraph', 'content': 'Since the missing system calls were not triggering auditd alerts, detection prior to patching is difficult. After patching, auditd rules monitoring read classes (e.g., -w /tmp/test -p rwa -k test_rwa) will catch these calls.'}, {'type': 'paragraph', 'content': 'Suggested commands to check audit logs and monitor relevant system calls include:'}, {'type': 'list_item', 'content': 'Use auditctl or ausearch to review audit logs for syscall events related to getxattr(), listxattr(), getxattrat(), and listxattrat().'}, {'type': 'list_item', 'content': "Example: `ausearch -k test_rwa` to search audit logs for events tagged with the key 'test_rwa'."}, {'type': 'list_item', 'content': 'Use `auditctl -l` to list current audit rules and verify that rules cover the read class including the *at variants.'}, {'type': 'list_item', 'content': 'Test with small programs or commands that invoke getxattrat() or listxattrat() and verify auditd logs capture these calls after patching.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update your Linux kernel to version 7.0 or one of the backported LTS versions (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) that include the patch adding the missing system calls to the audit read class.

This update ensures that auditd properly monitors the getxattrat() and listxattrat() system calls, preventing stealthy bypass of audit rules.

Additionally, verify and update your audit rules to ensure they cover the read class comprehensively, including any new or variant system calls.

Until the kernel is updated, be aware that auditd may not detect these specific system calls, so consider additional monitoring or restricting permissions to limit potential misuse.

Useful 0 Not Useful 0