{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71239", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-02-18T14:25:13.845Z", "datePublished": "2026-03-17T09:11:03.386Z", "dateUpdated": "2026-04-13T06:02:29.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:02:29.886Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: add fchmodat2() to change attributes class\n\nfchmodat2(), introduced in version 6.6 is currently not in the change\nattribute class of audit. Calling fchmodat2() to change a file\nattribute in the same fashion than chmod() or fchmodat() will bypass\naudit rules such as:\n\n-w /tmp/test -p rwa -k test_rwa\n\nThe current patch adds fchmodat2() to the change attributes class."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/asm-generic/audit_change_attr.h"], "versions": [{"version": "09da082b07bbae1c11d9560c8502800039aebcea", "lessThan": "91e27bc79c3bca93c06bf5a471d47df9a35b3741", "status": "affected", "versionType": "git"}, {"version": "09da082b07bbae1c11d9560c8502800039aebcea", "lessThan": "3e762a03713e8c25ca0108c075d662c897fc0623", "status": "affected", "versionType": "git"}, {"version": "09da082b07bbae1c11d9560c8502800039aebcea", "lessThan": "4fed776ca86378da7dd743a7b648e20b025ba8ef", "status": "affected", "versionType": "git"}, {"version": "09da082b07bbae1c11d9560c8502800039aebcea", "lessThan": "c4334c0d0e7d6f02ed93756fd4ba807e3d00c05f", "status": "affected", "versionType": "git"}, {"version": "09da082b07bbae1c11d9560c8502800039aebcea", "lessThan": "4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/asm-generic/audit_change_attr.h"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/91e27bc79c3bca93c06bf5a471d47df9a35b3741"}, {"url": "https://git.kernel.org/stable/c/3e762a03713e8c25ca0108c075d662c897fc0623"}, {"url": "https://git.kernel.org/stable/c/4fed776ca86378da7dd743a7b648e20b025ba8ef"}, {"url": "https://git.kernel.org/stable/c/c4334c0d0e7d6f02ed93756fd4ba807e3d00c05f"}, {"url": "https://git.kernel.org/stable/c/4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc"}, {"url": "https://www.bencteux.fr/posts/missing_syscalls_audit/"}], "title": "audit: add fchmodat2() to change attributes class", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: add fchmodat2() to change attributes class\n\nfchmodat2(), introduced in version 6.6 is currently not in the change\nattribute class of audit. Calling fchmodat2() to change a file\nattribute in the same fashion than chmod() or fchmodat() will bypass\naudit rules such as:\n\n-w /tmp/test -p rwa -k test_rwa\n\nThe current patch adds fchmodat2() to the change attributes class."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\naudit: a\u00f1adir fchmodat2() a la clase de cambio de atributos\n\nfchmodat2(), introducido en la versi\u00f3n 6.6, actualmente no est\u00e1 en la clase de cambio de atributos de audit. Llamar a fchmodat2() para cambiar un atributo de archivo de la misma manera que chmod() o fchmodat() eludir\u00e1 las reglas de audit como:\n\n-w /tmp/test -p rwa -k test_rwa\n\nEl parche actual a\u00f1ade fchmodat2() a la clase de cambio de atributos."}], "id": "CVE-2025-71239", "lastModified": "2026-03-18T17:16:04.707", "metrics": {}, "published": "2026-03-17T10:15:59.010", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e762a03713e8c25ca0108c075d662c897fc0623"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4fed776ca86378da7dd743a7b648e20b025ba8ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/91e27bc79c3bca93c06bf5a471d47df9a35b3741"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c4334c0d0e7d6f02ed93756fd4ba807e3d00c05f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://www.bencteux.fr/posts/missing_syscalls_audit/"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: audit: add fchmodat2() to change attributes class", "id": "2448336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448336"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2025-71239", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-71239\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71239\nhttps://lore.kernel.org/linux-cve-announce/2026031708-CVE-2025-71239-47f6@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f714315d7d68898d03093f67285256a8770f903c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3ee75b13ea5f05ff9adc784b2464825bd70eb119)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,57489a89657cc94bf6ad8427d1902daba9156aa1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,91e27bc79c3bca93c06bf5a471d47df9a35b3741)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3e762a03713e8c25ca0108c075d662c897fc0623)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4fed776ca86378da7dd743a7b648e20b025ba8ef)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c4334c0d0e7d6f02ed93756fd4ba807e3d00c05f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.252,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.202,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.165,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.16,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.6,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc1,*)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T04:42:34.424154+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that contains the fchmodat2() audit fix (e.g., upgrade to a patched 6.6.x release).", "Verify that the audit change\u2011attributes class now lists fchmodat2() by inspecting auditctl -l output or audit configuration files.", "If an immediate kernel upgrade is not feasible, restrict use of the fchmodat2() system call via a seccomp filter or a custom kernel module that blocks the call.", "Continuously monitor audit logs for unexpected attribute changes and correlate any anomalies with recent system activity."], "summary": {"action": "Immediate Patch", "impact": "Audit bypass and unauthorized attribute change"}, "threat_synthesis": {"affected_systems": "Linux kernel versions that include fchmodat2() but do not yet apply the patch are vulnerable. This includes unpatched kernel 6.6 releases and any distribution shipping that version without the audit update. Kernels that have been upgraded to include the audit fix (e.g., patched 6.6.x releases) are no longer impacted.", "description_and_impact": "The Linux kernel audit subsystem omitted the fchmodat2() system call from its change\u2011attributes class when it was introduced in kernel 6.6. Calls to fchmodat2() can modify file permissions or attributes exactly as chmod() or fchmodat(), but because it was not audited the action is not logged by audit rules such as \u2011w /tmp/file \u2011p rwa \u2011k test_rwa. This allows a user to change attributes on a file or directory without generating evidence in the audit trail, potentially facilitating tampering, privilege escalation, or post\u2011exploitation cover\u2011up. The weakness manifests as improper access control and incorrect permission assignment because the kernel does not enforce audit recording for a privileged function.", "risk_and_exploitability": "The EPSS score is reported as less than 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. The flaw can be leveraged by any user who can invoke fchmodat2(), which is a standard system call, creating a post\u2011exploitation advantage in environments where audit integrity is critical. The lack of audit coverage does not allow remote exploitation, but local privilege escalation or tampering remains possible if the attacker can execute the system call with sufficient privileges."}}}}, "created": "2026-03-18T12:13:31.810939+00:00", "updated": "2026-03-26T12:21:12.244284+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}