CVE-2026-23241 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators who rely on audit rules to record file and extended-attribute reads on production systems.

Technical summary

According to the CVE description, the audit subsystem's read class omitted getxattrat() and listxattrat(). That omission meant audit rules intended to track reads on a path, such as a rule for /tmp/test with read/write/attribute logging, could be bypassed when the same information was accessed via the "at" syscall variants. NVD lists affected Linux kernel ranges as 6.13 through 6.18.15 and 6.19 through 6.19.5, with patches available in stable kernel commits.

Defensive priority

Medium

Recommended defensive actions

• Apply the upstream Linux kernel fixes referenced by the stable kernel patch commits.
• Prioritize updates for systems that use audit rules to monitor file or xattr access.
• Review audit policy coverage for extended-attribute read paths, including "at" syscall variants.
• Validate that your kernel version is outside the affected ranges listed by NVD.
• If you cannot patch immediately, treat audit logs involving xattr reads as potentially incomplete on affected kernels.

Evidence notes

Evidence comes from the CVE description, NVD analysis, and linked kernel.org stable patches. The CVE was published on 2026-03-17 and last modified in NVD on 2026-05-20. NVD classifies the issue with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and records affected Linux kernel ranges as version 6.13 through 6.18.15 and 6.19 through 6.19.5. NVD also marks the weakness as NVD-CWE-noinfo.

Official resources