{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: audit: add missing syscalls to read class",
    "id" : "2448335",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448335"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-693",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\naudit: add missing syscalls to read class\nThe \"at\" variant of getxattr() and listxattr() are missing from the\naudit read class. Calling getxattrat() or listxattrat() on a file to\nread its extended attributes will bypass audit rules such as:\n-w /tmp/test -p rwa -k test_rwa\nThe current patch adds missing syscalls to the audit read class." ],
  "statement" : "Audit rules for the read class could be bypassed because getxattrat and listxattrat were not included in the audit read syscall set. A local process can read extended attributes using the at variants and avoid triggering audit watches such as file path rules configured for reads. Impact is limited to the situations where could be reduced security monitoring and potential evasion of audit based detection and compliance controls.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23241\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23241\nhttps://lore.kernel.org/linux-cve-announce/2026031710-CVE-2026-23241-86e0@gregkh/T" ],
  "name" : "CVE-2026-23241",
  "csaw" : false
}