The vulnerability arises because the audit subsystem in the Linux kernel omitted the at variants of getxattr() and listxattr() from its read class. As a result, calls to getxattrat() or listxattrat() on files allow extended attributes to be read without triggering audit rules that would normally flag such operations. This missing audit entry enables an attacker to read file metadata stealthily, potentially leading to information disclosure or aiding in lateral movement. The weakness corresponds to improper handling of audit logging, which is a form of missing or ineffective access control and monitoring.

Affected systems are Linux kernel deployments where the audit subsystem does not yet include the missing syscalls in its read class. Specific version information was not provided; therefore the issue applies to any kernel version prior to the patch that adds getxattrat() and listxattrat() to the audit read class. The impacted product can be identified by the CPE string cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

The CVSS score and EPSS exploration values are not provided in the data, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likelihood of exploitation is moderate; an attacker would need local or privileged code execution to invoke the affected system calls, but no exploit code or proof‑of‑concept is referenced. The primary risk is that audit logs will not capture certain read operations, weakening overall system observability. The official fix is to apply the kernel patch that incorporates the missing syscalls into the audit read class.