Skip to main content

Linux Kernel EUVDEUVD-2026-39892

| CVE-2026-53287 MEDIUM
2026-06-26 Linux GHSA-7w44-35gq-6jc3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local syscall with low-privilege access corrupts audit record integrity; no confidentiality or availability impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:26 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

audit: fix incorrect inheritable capability in CAPSET records

__audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable.

This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail.

The bug has been present since the original introduction of CAPSET audit records in 2008.

AnalysisAI

Silent audit trail corruption in the Linux kernel's capability auditing subsystem allows a local attacker who manipulates inheritable capabilities as a precursor to privilege escalation to have that manipulation go unrecorded in CAPSET audit logs since 2008. The __audit_log_capset() function records cap_effective into the cap_pi (inheritable) field due to a copy-paste error, meaning compliance and forensic systems receive falsified capability state that masks the inheritable-cap modification step of a privilege escalation chain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user access
Delivery
Call capset() to seed inheritable capability set
Exploit
Execute target binary with matching file/ambient capability bit
Execution
Inherit elevated capability post-exec
Persist
Audit trail records cap_effective as cap_pi, masking the inheritable cap change
Impact
Forensic analysis fails to reconstruct privilege escalation path

Vulnerability AssessmentAI

Exploitation The audit corruption is triggered by any process that calls the `capset(2)` syscall, which requires at minimum `PR:L` (local user access). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 5.5 but the A:H metric is analytically inconsistent with the described impact, which is data integrity corruption of audit records rather than a loss of system availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with an unprivileged user account calls `capset()` to add inheritable capabilities (e.g., CAP_NET_BIND_SERVICE or CAP_SETUID) to their process capability set as a setup step before executing a binary that has the corresponding file capability or ambient capability bit set, gaining elevated privileges post-exec. Because `__audit_log_capset()` records `cap_effective` instead of `cap_pi`, the audit trail shows no change in inheritable capabilities, and a security analyst reviewing CAPSET records post-incident fails to identify this setup step, making the privilege escalation appear to originate from nowhere. …
Remediation Update the Linux kernel to a patched stable release: 7.1, 7.0.10, 6.18.33, 6.12.91, 6.6.141, 6.1.175, 5.15.209, or 5.10.258 depending on the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy