GHSA-38G3-XQXQ-2V2P
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active.
Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback.
Add the missing dec_inotify_watches() call in the error path.
{
"affected": [],
"aliases": [
"CVE-2026-46040"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:23Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ninotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails\n\nWhen fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),\nthe error path calls inotify_remove_from_idr() but does not call\ndec_inotify_watches() to undo the preceding inc_inotify_watches().\nThis leaks a watch count, and repeated failures can exhaust the\nmax_user_watches limit with -ENOSPC even when no watches are active.\n\nPrior to commit 1cce1eea0aff (\"inotify: Convert to using per-namespace\nlimits\"), the watch count was incremented after fsnotify_add_mark_locked()\nsucceeded, so this path was not affected. The conversion moved\ninc_inotify_watches() before the mark insertion without adding the\ncorresponding rollback.\n\nAdd the missing dec_inotify_watches() call in the error path.",
"id": "GHSA-38g3-xqxq-2v2p",
"modified": "2026-05-27T15:33:22Z",
"published": "2026-05-27T15:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46040"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.