Description
In the Linux kernel, the following vulnerability has been resolved:

inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
the error path calls inotify_remove_from_idr() but does not call
dec_inotify_watches() to undo the preceding inc_inotify_watches().
This leaks a watch count, and repeated failures can exhaust the
max_user_watches limit with -ENOSPC even when no watches are active.

Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
limits"), the watch count was incremented after fsnotify_add_mark_locked()
succeeded, so this path was not affected. The conversion moved
inc_inotify_watches() before the mark insertion without adding the
corresponding rollback.

Add the missing dec_inotify_watches() call in the error path.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel's inotify subsystem, a defect occurs when fsnotify_add_inode_mark_locked() fails during a new watch operation. The error path does not decrement a previously incremented inotify watch counter, resulting in a leaked watch count. Consequentially, repeated failures can cumulatively increase the counter until the kernel's max_user_watches limit is reached, causing subsequent watch creation attempts to fail with -ENOSPC. This resource exhaustion can lead to denial of service for applications relying on inotify watches.

Affected Systems

The vulnerability affects all Linux kernel versions that contain the inotify watch counter logic before the fix commit (1cce1eea0aff). Specific vendor and product details are Linux kernel builds produced by the Linux Foundation, operating systems that ship with these kernels have the issue if they have not applied the patch. Exact affected kernel releases are not enumerated in the advisory, so any system relying on the inotify feature before the patch may be impacted.

Risk and Exploitability

The potential impact is significant if an attacker can trigger repeated failures, as the malicious user can exhaust the max_user_watches resource, causing denial of service for processes that need to add inotify watches. The CVSS score is 5.5, but the scenario involves a local user path that can manipulate watch creation; thus the likely attack vector is local user or application. Exploitability is moderate; no publicly documented exploits exist and the EPSS score is unavailable. The vulnerability is not listed in CISA's KEV catalog, so it is not a known exploited vulnerability at this time.

Generated by OpenCVE AI on May 28, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that adds dec_inotify_watches() in the error path to prevent uncontrolled resource exhaustion (CWE‑400).
  • If firmware updates cannot be deployed immediately, set a stricter max_user_watches limit and restrict applications from creating inotify watches, mitigating the resource exhaustion flaw (CWE‑400).
  • Enable logging and alerts for repeated -ENOSPC errors or abnormal watch counter growth, which signal potential exploitation of the missing rollback bug (CWE‑911).

Generated by OpenCVE AI on May 28, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path.
Title inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:52.161Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46040

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:23.387

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46040

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46040 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:06Z

Weaknesses