CVE-2025-71239 Overview
CVE-2025-71239 affects the Linux kernel audit subsystem. The fchmodat2() syscall, introduced in kernel version 6.6, was omitted from the audit change attribute class. This omission allows the syscall to modify file attributes without triggering audit rules configured to watch for permission changes. An attacker or unauthorized user can bypass detection by using fchmodat2() instead of chmod() or fchmodat() when performing the same attribute modifications. The patch adds fchmodat2() to the change attributes class so audit rules apply consistently across equivalent syscalls.
Critical Impact
Audit rules monitoring file permission changes can be silently bypassed by using fchmodat2() instead of equivalent syscalls, undermining file integrity monitoring and forensic visibility.
Affected Products
- Linux kernel version 6.6 and later (prior to the patch)
- Distributions shipping kernels with the fchmodat2() syscall
- Systems relying on Linux audit framework for file attribute monitoring
Discovery Timeline
- 2026-03-17 - CVE-2025-71239 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2025-71239
Vulnerability Analysis
The Linux audit framework groups syscalls into classes such as the change attributes class, which covers operations modifying file metadata. Administrators configure watch rules like -w /tmp/test -p rwa -k test_rwa to track permission and attribute changes on monitored paths. These rules rely on the audit subsystem mapping every relevant syscall into the correct class.
Kernel version 6.6 introduced fchmodat2() as an enhanced version of fchmodat() supporting additional flags. The syscall performs the same file mode change operation, but the audit subsystem did not register it as a member of the change attributes class. As a result, audit watches did not generate events when fchmodat2() modified attributes on watched paths.
The gap creates a detection blind spot. Defenders relying on audit logs for compliance, file integrity monitoring, or incident response receive no record of attribute changes performed through the newer syscall.
Root Cause
The root cause is an incomplete syscall classification in the audit subsystem. When fchmodat2() was added to the kernel, the corresponding entry in the audit change attributes class was not updated. This is a configuration oversight in the kernel rather than a memory safety issue.
Attack Vector
A local user or process invokes fchmodat2() directly to alter file permissions on paths watched by audit rules. The attribute change succeeds without producing the expected audit record. The technique requires no elevated privileges beyond what the equivalent chmod() call would need. Researcher analysis of missing syscalls is documented in the Bencteux Blog Post on Syscalls.
The vulnerability mechanism is described in prose because verified exploit code is not included with the advisory. The fix is delivered through the kernel commits referenced below, which add fchmodat2() to the change attribute classification table.
Detection Methods for CVE-2025-71239
Indicators of Compromise
- File permission changes observed through filesystem state comparison without matching audit records for chmod, fchmod, or fchmodat
- Discrepancies between expected audit events from watch rules and actual logged syscalls on monitored paths
- Unexpected mode changes on sensitive files such as /etc/shadow, /etc/sudoers, or SUID binaries with no audit trail
Detection Strategies
- Supplement audit watches with periodic file integrity baseline comparisons using tools such as AIDE or Tripwire
- Hook fchmodat2() invocations through eBPF tracing or bpftrace scripts to capture syscall activity independent of the audit subsystem
- Correlate process execution telemetry with file metadata changes to identify silent permission modifications
Monitoring Recommendations
- Inventory kernel versions across the fleet to identify hosts running 6.6 or newer without the audit fix
- Enable syscall-level tracing for fchmodat2 on systems where audit rules enforce compliance requirements
- Forward kernel audit logs and eBPF telemetry to a central data lake for cross-source correlation and anomaly identification
How to Mitigate CVE-2025-71239
Immediate Actions Required
- Apply kernel updates containing the patches referenced in the Kernel Git Commit 3e762a0, Kernel Git Commit 4f493a6, Kernel Git Commit 4fed77c, Kernel Git Commit 91e27bc, and Kernel Git Commit c4334c0
- Audit existing watch rules to confirm they cover all attribute-modifying syscalls including fchmodat2
- Validate that file integrity monitoring tooling captures permission changes independently of kernel audit
Patch Information
The fix adds fchmodat2() to the audit change attributes class. Backported patches are available across stable kernel branches through the kernel.org commits listed above. Distribution vendors are expected to ship updated kernel packages incorporating these changes.
Workarounds
- Add explicit audit syscall rules targeting fchmodat2 by syscall number on unpatched kernels, for example -a always,exit -F arch=b64 -S fchmodat2 -k attr_change
- Restrict access to the fchmodat2 syscall through seccomp profiles for processes that do not require it
- Increase reliance on out-of-band file integrity monitoring until the kernel patch is deployed
# Example audit rule to explicitly track fchmodat2 on unpatched kernels
auditctl -a always,exit -F arch=b64 -S fchmodat2 -k attr_change
auditctl -a always,exit -F arch=b32 -S fchmodat2 -k attr_change
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

