Skip to main content

Linux Kernel CVE-2026-52990

| EUVDEUVD-2026-38858 MEDIUM
2026-06-24 Linux GHSA-mrgj-88f9-5g2f
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires precise inter-thread timing beyond attacker control (AC:H); local low-privilege access required; impact is purely availability via resource exhaustion.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 16:54 vuln.today
CVSS changed
Jul 14, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fsnotify: fix inode reference leak in fsnotify_recalc_mask()

fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared.

This manifests as a hung task with the following call trace:

INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit

The race window that triggers the iref leak:

Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return

/* ---- gap: no lock held ---- */

fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A)

fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded!

  • iput() and fsnotify_put_sb_watched_objects()
  • are never called */

Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

AnalysisAI

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local low-privilege shell
Delivery
Open inotify/fanotify watcher on target filesystem
Exploit
Spawn concurrent thread to remove existing mark
Install
Race mark removal into fsnotify_recalc_mask() gap
C2
Inode reference leaked without fsnotify_drop_object() call
Execute
Repeat to accumulate leaked references
Impact
Trigger unmount to hang indefinitely in fsnotify_sb_delete()

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account with at least low-privilege access (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and EPSS at 0.18% (7th percentile) together signal a very low real-world exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user spawns two threads that simultaneously add and remove fsnotify marks on the same filesystem connector object, deliberately timing the removal to land in the gap between conn->lock release in fsnotify_add_mark_list() and the call to fsnotify_recalc_mask(). This causes __fsnotify_recalc_mask() to return a non-NULL inode pointer that is discarded, leaking the reference. …
Remediation Apply vendor-released kernel patches, which are available across stable branches via kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy