CVE-2026-53287

In the Linux kernel, the following vulnerability has been resolved:

audit: fix incorrect inheritable capability in CAPSET records

audit log capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap pi (process inheritable) with the value of cap effective instead of cap inheritable.

This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail.

The bug has been present since the original introduction of CAPSET audit records in 2008.