Description
In the Linux kernel, the following vulnerability has been resolved:

audit: fix incorrect inheritable capability in CAPSET records

__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.

This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.

The bug has been present since the original introduction of CAPSET
audit records in 2008.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel audit subsystem previously logged the effective capability set into the inheritable field of every CAPSET record due to a copy‑paste error. As a result, any capability changes intended for privilege‑escalation attacks are masked in the audit trail, compromising forensic and compliance integrity.

Affected Systems

All Linux kernel implementations are affected because the defect resides in core audit code that has existed since 2008. The affected versions are not specifically enumerated in the public advisory, so any installation that has not yet applied the latest kernel patch that corrects the CAPSET audit log behavior remains vulnerable.

Risk and Exploitability

The flaw does not grant direct privilege escalation or denial‑of‑service; rather, it permits a local attacker who can manipulate process capabilities to hide those changes from audit logs. The likely attack vector is inferred to be local only, requiring the attacker to have some ability to adjust capabilities, typically demanding elevated privileges. The CVSS score of 5.5 and an EPSS score of less than 1% indicate moderate severity and low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but its impact on audit integrity justifies prompt remediation.

Generated by OpenCVE AI on June 30, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the audit CAPSET record fix from the relevant commit history.
  • Reboot the system to activate the corrected kernel and ensure that auditd records the proper capability fields going forward.
  • Continuously monitor audit logs for anomalous CAPSET entries and investigate any inconsistencies to maintain compliance and forensic reliability.

Generated by OpenCVE AI on June 30, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Tue, 30 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-200

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Fri, 26 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-200

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: audit: fix incorrect inheritable capability in CAPSET records __audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable. This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail. The bug has been present since the original introduction of CAPSET audit records in 2008.
Title audit: fix incorrect inheritable capability in CAPSET records
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:47.946Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53287

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53287 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T04:00:08Z

Weaknesses

No weakness.