Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local syscall with low-privilege access corrupts audit record integrity; no confidentiality or availability impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
audit: fix incorrect inheritable capability in CAPSET records
__audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable.
This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail.
The bug has been present since the original introduction of CAPSET audit records in 2008.
AnalysisAI
Silent audit trail corruption in the Linux kernel's capability auditing subsystem allows a local attacker who manipulates inheritable capabilities as a precursor to privilege escalation to have that manipulation go unrecorded in CAPSET audit logs since 2008. The __audit_log_capset() function records cap_effective into the cap_pi (inheritable) field due to a copy-paste error, meaning compliance and forensic systems receive falsified capability state that masks the inheritable-cap modification step of a privilege escalation chain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The audit corruption is triggered by any process that calls the `capset(2)` syscall, which requires at minimum `PR:L` (local user access). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 5.5 but the A:H metric is analytically inconsistent with the described impact, which is data integrity corruption of audit records rather than a loss of system availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with an unprivileged user account calls `capset()` to add inheritable capabilities (e.g., CAP_NET_BIND_SERVICE or CAP_SETUID) to their process capability set as a setup step before executing a binary that has the corresponding file capability or ambient capability bit set, gaining elevated privileges post-exec. Because `__audit_log_capset()` records `cap_effective` instead of `cap_pi`, the audit trail shows no change in inheritable capabilities, and a security analyst reviewing CAPSET records post-incident fails to identify this setup step, making the privilege escalation appear to originate from nowhere. … |
| Remediation | Update the Linux kernel to a patched stable release: 7.1, 7.0.10, 6.18.33, 6.12.91, 6.6.141, 6.1.175, 5.15.209, or 5.10.258 depending on the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39892
GHSA-7w44-35gq-6jc3