Description
In the Linux kernel, the following vulnerability has been resolved:

audit: add missing syscalls to read class

The "at" variant of getxattr() and listxattr() are missing from the
audit read class. Calling getxattrat() or listxattrat() on a file to
read its extended attributes will bypass audit rules such as:

-w /tmp/test -p rwa -k test_rwa

The current patch adds missing syscalls to the audit read class.
Published: 2026-03-17
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing audit classification for the at‑variants of getxattr() and listxattr() in the Linux kernel allows those syscalls to execute without creating audit records. This omission lets a process read extended file attributes using getxattrat() or listxattrat() while remaining invisible to the kernel’s audit logging, thereby enabling covert information gathering or other malicious actions.

Affected Systems

All installations of the Linux kernel that have not incorporated the patch adding getxattrat() and listxattrat() to the audit read class. The information does not specify kernel versions, so any release prior to the application of the cited patch is considered potentially affected.

Risk and Exploitability

The CVSS score of 5.5 denotes a moderate severity, and the EPSS score of <1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires local or privileged execution to invoke the affected syscalls; the audit bypass then reduces detection capability across the system.

Generated by OpenCVE AI on May 21, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that implements the audit read class changes for getxattrat() and listxattrat().
  • Add explicit audit rules that monitor calls to getxattrat() and listxattrat() so that audit events are generated even if future kernel changes alter class assignments.
  • Deploy a tamper‑resistant, centralized audit logging system (e.g., remote syslog or SIEM) to ensure audit records are captured and retained independently of local kernel logging.

Generated by OpenCVE AI on May 21, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-117

Wed, 20 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as: -w /tmp/test -p rwa -k test_rwa The current patch adds missing syscalls to the audit read class.
Title audit: add missing syscalls to read class
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:03.259Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23241

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T10:16:00.127

Modified: 2026-05-20T19:45:27.267

Link: CVE-2026-23241

cve-icon Redhat

Severity :

Publid Date: 2026-03-17T00:00:00Z

Links: CVE-2026-23241 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T00:15:20Z

Weaknesses