CVE-2026-53287
Received Received - Intake
Linux Kernel CAPSET Capability Inheritance Vulnerability

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: audit: fix incorrect inheritable capability in CAPSET records __audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable. This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail. The bug has been present since the original introduction of CAPSET audit records in 2008.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53287
EUVD
EUVD-2026-39892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 2008 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's audit system, specifically in how it records capability sets in CAPSET audit records.

Due to a copy-paste error, the function __audit_log_capset() incorrectly records the effective capability set into the inheritable capability field.

As a result, every CAPSET audit record reports the process inheritable capabilities with the value of the effective capabilities instead of the actual inheritable capabilities.

This causes silent corruption of audit data that is used for compliance and forensic analysis.

An attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have those changes masked in the audit trail, making detection difficult.

This bug has existed since CAPSET audit records were introduced in 2008.

Impact Analysis

This vulnerability can impact you by corrupting audit data related to process capabilities.

Because the audit records incorrectly log inheritable capabilities, any malicious changes made by an attacker to escalate privileges may not be visible in audit logs.

This makes it harder to detect and investigate privilege escalation attempts, potentially allowing attackers to operate undetected.

Overall, it weakens the reliability of audit trails used for security monitoring and forensic analysis.

Compliance Impact

This vulnerability affects compliance by silently corrupting audit data that is critical for demonstrating security controls.

Standards and regulations such as GDPR and HIPAA require accurate and reliable audit logs to detect and respond to security incidents.

Because the audit records mask changes to inheritable capabilities, organizations may fail to detect unauthorized privilege escalations.

This undermines the integrity of audit trails and could lead to non-compliance with regulatory requirements for security monitoring and incident response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart