CVE-2025-71239

Vulnerability

Description The Linux kernel audit subsystem groups system calls into classes to enable filesystem watch rules (e.g., -p a for attribute changes). The fchmodat2() syscall, introduced in kernel version 6.6, was inadvertently omitted from the "change attributes" class. This means that any filesystem audit rule configured to monitor file attribute modifications (using permission a) would not trigger when fchmodat2() is used, unlike its counterparts chmod() or fchmodat() [1].

Exploitation and

Attack Surface An attacker with local access to the system can call fchmodat2() to modify file permissions without generating an audit event. No special privileges beyond the ability to invoke the syscall on files they can access are required. The bypass specifically affects audit rules that rely on system call class grouping, such as -w /tmp/test -p rwa -k test_rwa, which would otherwise log attribute changes [1].

Impact

Successful exploitation allows an attacker to stealthily alter file permissions (e.g., making a file executable or writable) without the action being recorded by the audit subsystem. This undermines the integrity of audit-based monitoring and compliance controls, potentially enabling further malicious activities to go undetected.

Mitigation

The Linux kernel has been patched by adding fchmodat2() to the chang_attrs class in the audit subsystem. Users are advised to update their kernels to versions containing the fix (stable commits referenced in the kernel repository). No workaround is available; only the kernel patch ensures that the syscall is properly audited [1].