CVE-2025-71239 Linux CVE debrief

Who should care

Kernel maintainers, distro security teams, and operators who rely on Linux audit rules for change-attribute monitoring should care. Security monitoring teams should also review whether their deployed kernels fall within the affected version ranges.

Technical summary

The vulnerability is a syscall coverage gap in Linux audit. fchmodat2(), introduced in Linux 6.6, was not mapped into the audit change-attributes class, so file attribute changes using that syscall could bypass audit rules intended to capture attribute modifications. NVD lists affected kernel ranges as 6.6 before 6.6.128, 6.7 before 6.12.75, 6.13 before 6.18.16, and 6.19 before 6.19.6. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a locally reachable issue requiring low privileges and no user interaction.

Defensive priority

Medium. This is not a remote code execution flaw, but it can undermine security monitoring and audit completeness on affected kernels. Environments that depend on audit-based detection or compliance evidence should prioritize patching and validation.

Recommended defensive actions

• Confirm whether your Linux kernel version falls within any of the affected ranges listed in NVD.
• Apply the relevant stable kernel updates that include the audit fix for fchmodat2().
• Review audit rules and test that attribute-change events are captured as expected after patching.
• If you operate compliance or monitoring tooling, verify that your detections do not assume chmod() and fchmodat() are the only attribute-changing paths.
• Track distro advisories for backported fixes if you do not run upstream kernel versions.

Evidence notes

This debrief is based on the NVD CVE record, the CVE description supplied in the source corpus, the listed affected CPE version ranges, the CVSS vector, and the referenced stable-kernel patch links. A third-party advisory is listed by NVD, but no external content beyond the supplied metadata was used here.

Official resources