CVE-2026-23241
Analyzed Analyzed - Analysis Complete

Audit Bypass via Missing getxattrat Syscalls in Linux Kernel

Vulnerability report for CVE-2026-23241, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-17

Last updated on: 2026-05-20

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as: -w /tmp/test -p rwa -k test_rwa The current patch adds missing syscalls to the audit read class.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-17
Last Modified
2026-05-20
Generated
2026-07-06
AI Q&A
2026-03-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23241 is a vulnerability in the Linux kernel audit subsystem where certain new system calls were missing from the audit classes that monitor file operations.'}, {'type': 'paragraph', 'content': "Specifically, the 'at' variants of getxattr() and listxattr() system calls (getxattrat() and listxattrat()) were not included in the audit read class. This omission meant that when these system calls were used to read extended file attributes, such as SELinux labels or file capabilities, the audit system (auditd) did not generate alerts."}, {'type': 'paragraph', 'content': 'As a result, these system calls could bypass audit rules designed to monitor file reads, allowing stealthy operations to go undetected.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding the missing system calls to the audit read class in Linux kernel version 7.0 and backported to several long-term support versions.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing certain file operations to occur without being logged or detected by the Linux audit system.

Specifically, attackers or users with sufficient permissions could use the missing system calls to read extended file attributes or change file permissions stealthily, bypassing auditd monitoring.

This undermines the reliability of audit logs and security monitoring, potentially allowing unauthorized or malicious activities to go unnoticed.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves certain system calls (getxattrat() and listxattrat()) bypassing auditd monitoring due to their omission from audit read classes. To detect exploitation attempts, you should monitor audit logs for suspicious activity related to extended attribute reads and file permission changes.'}, {'type': 'paragraph', 'content': 'Since the missing system calls were not triggering auditd alerts, detection prior to patching is difficult. After patching, auditd rules monitoring read classes (e.g., -w /tmp/test -p rwa -k test_rwa) will catch these calls.'}, {'type': 'paragraph', 'content': 'Suggested commands to check audit logs and monitor relevant system calls include:'}, {'type': 'list_item', 'content': 'Use auditctl or ausearch to review audit logs for syscall events related to getxattr(), listxattr(), getxattrat(), and listxattrat().'}, {'type': 'list_item', 'content': "Example: `ausearch -k test_rwa` to search audit logs for events tagged with the key 'test_rwa'."}, {'type': 'list_item', 'content': 'Use `auditctl -l` to list current audit rules and verify that rules cover the read class including the *at variants.'}, {'type': 'list_item', 'content': 'Test with small programs or commands that invoke getxattrat() or listxattrat() and verify auditd logs capture these calls after patching.'}] [1]

Mitigation Strategies

The primary mitigation is to update your Linux kernel to version 7.0 or one of the backported LTS versions (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) that include the patch adding the missing system calls to the audit read class.

This update ensures that auditd properly monitors the getxattrat() and listxattrat() system calls, preventing stealthy bypass of audit rules.

Additionally, verify and update your audit rules to ensure they cover the read class comprehensively, including any new or variant system calls.

Until the kernel is updated, be aware that auditd may not detect these specific system calls, so consider additional monitoring or restricting permissions to limit potential misuse.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart