CVE-2026-53287
Analyzed Analyzed - Analysis Complete

Linux Kernel CAPSET Capability Inheritance Vulnerability

Vulnerability report for CVE-2026-53287, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: audit: fix incorrect inheritable capability in CAPSET records __audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable. This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail. The bug has been present since the original introduction of CAPSET audit records in 2008.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-08
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 2.6.29 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's audit system, specifically in how it records capability sets in CAPSET audit records.

Due to a copy-paste error, the function __audit_log_capset() incorrectly records the effective capability set into the inheritable capability field.

As a result, every CAPSET audit record reports the process inheritable capabilities with the value of the effective capabilities instead of the actual inheritable capabilities.

This causes silent corruption of audit data that is used for compliance and forensic analysis.

An attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have those changes masked in the audit trail, making detection difficult.

This bug has existed since CAPSET audit records were introduced in 2008.

Impact Analysis

This vulnerability can impact you by corrupting audit data related to process capabilities.

Because the audit records incorrectly log inheritable capabilities, any malicious changes made by an attacker to escalate privileges may not be visible in audit logs.

This makes it harder to detect and investigate privilege escalation attempts, potentially allowing attackers to operate undetected.

Overall, it weakens the reliability of audit trails used for security monitoring and forensic analysis.

Compliance Impact

This vulnerability affects compliance by silently corrupting audit data that is critical for demonstrating security controls.

Standards and regulations such as GDPR and HIPAA require accurate and reliable audit logs to detect and respond to security incidents.

Because the audit records mask changes to inheritable capabilities, organizations may fail to detect unauthorized privilege escalations.

This undermines the integrity of audit trails and could lead to non-compliance with regulatory requirements for security monitoring and incident response.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart