CVE-2026-23241

Vulnerability

Description

The Linux kernel audit subsystem groups system calls into classes to enforce file watch rules (e.g., -w /tmp/test -p r -k key). The read class, defined in files such as include/asm-generic/audit_read.h, includes getxattr, listxattr, and their l (link) and f (fd) variants, but it was missing the "at" variants getxattrat and listxattrat [1]. This omission means that an operation that reads extended attributes via these newer syscalls does not trigger an audit record for read permission events, effectively bypassing the intended monitoring.

Exploitation

An attacker with local access to a system can exploit this by calling getxattrat() or listxattrat() on a file to read its extended attributes without the audit subsystem generating an event for the read action. The attack does not require any special privileges beyond normal file access; it simply uses the missing syscall path to evade detection [1]. The prerequisite is that the target file is under an audit watch rule that would normally log reads.

Impact

By using the unmonitored syscalls, an attacker can stealthily retrieve extended attributes of files, which may contain sensitive metadata, security labels, or configuration data. This undermines the integrity of the audit system and could allow malicious activity to go undetected, as the logs would show no read access on the watched file. The CVSS v3 score of 5.5 (Medium) reflects the local access requirement and the potential for information disclosure.

Mitigation

The Linux kernel has been patched to include getxattrat and listxattrat in the audit read class. Users should apply the corresponding kernel update from their distribution or the mainline stable kernel to restore full audit coverage. No workaround exists other than updating the kernel [1].