Skip to main content

Linux Kernel CVE-2026-46150

| EUVDEUVD-2026-32777 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-97pw-xx9j-rg9j
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:56 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fanotify: fix false positive on permission events

fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.

Fix by skipping over detached marks that are not in the current group.

AnalysisAI

Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.

Technical ContextAI

fanotify is a Linux kernel filesystem notification API (an evolution of inotify) that uniquely supports permission events - FAN_OPEN_PERM and FAN_ACCESS_PERM - allowing userspace monitors (commonly antimalware, DLP, or hierarchical storage managers) to allow or deny filesystem operations before they complete. Marks attach watch policies to inodes/mounts and are grouped per listener. The bug lives in fsnotify_get_mark_safe(), a helper that takes a temporary reference on a mark during event delivery: when iterating mark lists that contain marks from unrelated notification groups, the helper could return false for an unrelated detached mark, prompting the caller to short-circuit and skip the permission decision for the current group's mark - effectively allowing the operation without consulting the legitimate listener. No CWE has been assigned but the defect class is a logic/state-handling error in concurrent mark iteration, adjacent to CWE-863 (Incorrect Authorization).

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 (or later) depending on your kernel series, using the upstream stable commits listed at git.kernel.org/stable/c/f130790f1acc8399f32652846c875a251efd040f and the four sibling commits. On distribution kernels, install the vendor's kernel update once it ships the corresponding backport and reboot - live patching frameworks (kpatch, kGraft, Ksplice) may also deliver it without reboot where supported. There is no clean configuration-level workaround because the bypass is inside core fanotify event handling, but interim compensating controls include restricting which users can open fanotify file descriptors by removing CAP_SYS_ADMIN from non-essential service accounts (note: this will also break any legitimate fanotify-based agent running under those accounts), and supplementing fanotify-based EDR with kernel-audit (auditd) or LSM-based (SELinux/AppArmor) policy checks so a single bypass does not silently void all enforcement (trade-off: additional audit volume and policy maintenance).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy