Insufficient logging in Linux kernel - CVE-2026-23241
Published: March 17, 2026
Vulnerability identifier: #VU124081
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23241
CWE-ID: CWE-778
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to bypass audit logging for specific file operations.
The vulnerability exists due to improper input validation in the audit subsystem when handling getxattrat() and listxattrat() system calls. A local user can perform extended attribute retrieval operations on files to bypass configured audit rules intended to monitor read, write, and attribute access.
Successful exploitation requires the ability to execute system calls on files with extended attributes and existing audit rules that monitor attribute access. The impact includes reduced audit trail visibility, potentially enabling undetected access to sensitive files.
How to mitigate CVE-2026-23241
Install update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/33cdef7ecf6e5d2cf46a35ec26befce072a1aa07
- https://git.kernel.org/stable/c/5632d14b2f2a0ade2d0068e12676ebed67e3bb2a
- https://git.kernel.org/stable/c/a2e8c144299c31d3972295ed80d4cb908daf4f6f
- https://git.kernel.org/stable/c/ad37505ce869a8100ff23f24eea117de7a7516bf
- https://git.kernel.org/stable/c/ada4bba3afefee1fa68aa6bd1fd597ea4b11a16e
- https://git.kernel.org/stable/c/bcb90a2834c7393c26df9609b889a3097b7700cd
- https://git.kernel.org/stable/c/ed8efd623a5738e03de09dd74b505d0fb77b09f3
- https://git.kernel.org/stable/c/f5d27ad99fcaa7d965b344dd0b00d9413585c3cb
- https://www.bencteux.fr/posts/missing_syscalls_audit/