The Linux kernel audit subsystem omitted the fchmodat2() system call from its change‑attributes class when it was introduced in kernel 6.6. Calls to fchmodat2() can modify file permissions or attributes exactly as chmod() or fchmodat(), but because it was not audited the action is not logged by audit rules such as ‑w /tmp/file ‑p rwa ‑k test_rwa. This allows a user to change attributes on a file or directory without generating evidence in the audit trail, potentially facilitating tampering, privilege escalation, or post‑exploitation cover‑up. The weakness manifests as improper access control and incorrect permission assignment because the kernel does not enforce audit recording for a privileged function.

Linux kernel versions that include fchmodat2() but do not yet apply the patch are vulnerable. This includes unpatched kernel 6.6 releases and any distribution shipping that version without the audit update. Kernels that have been upgraded to include the audit fix (e.g., patched 6.6.x releases) are no longer impacted.

The EPSS score is reported as less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. The flaw can be leveraged by any user who can invoke fchmodat2(), which is a standard system call, creating a post‑exploitation advantage in environments where audit integrity is critical. The lack of audit coverage does not allow remote exploitation, but local privilege escalation or tampering remains possible if the attacker can execute the system call with sufficient privileges.