GHSA-7w44-35gq-6jc3unknown

In the Linux kernel, the following vulnerability has been resolved: audit: fix incorrect...

Published
June 26, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

audit: fix incorrect inheritable capability in CAPSET records

__audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable.

This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail.

The bug has been present since the original introduction of CAPSET audit records in 2008.

🔗 References (10)