Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Race condition requires precise inter-thread timing beyond attacker control (AC:H); local low-privilege access required; impact is purely availability via resource exhaustion.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: fix inode reference leak in fsnotify_recalc_mask()
fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared.
This manifests as a hung task with the following call trace:
INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit
The race window that triggers the iref leak:
Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return
/* ---- gap: no lock held ---- */
fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A)
fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded!
- iput() and fsnotify_put_sb_watched_objects()
- are never called */
Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
AnalysisAI
Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account with at least low-privilege access (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and EPSS at 0.18% (7th percentile) together signal a very low real-world exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user spawns two threads that simultaneously add and remove fsnotify marks on the same filesystem connector object, deliberately timing the removal to land in the gap between conn->lock release in fsnotify_add_mark_list() and the call to fsnotify_recalc_mask(). This causes __fsnotify_recalc_mask() to return a non-NULL inode pointer that is discarded, leaking the reference. … |
| Remediation | Apply vendor-released kernel patches, which are available across stable branches via kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38858
GHSA-mrgj-88f9-5g2f