Skip to main content

Linux Kernel EUVDEUVD-2026-32421

| CVE-2026-46040 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-38g3-xqxq-2v2p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local syscall invocation requires low-privilege shell access; purely availability impact from watch-count exhaustion with zero confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:46 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active.

Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback.

Add the missing dec_inotify_watches() call in the error path.

AnalysisAI

Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.

Technical ContextAI

inotify is a Linux kernel filesystem notification subsystem exposed via the inotify_init()/inotify_add_watch() syscall interface that allows userspace processes to receive events on inode changes. The vulnerability exists in inotify_new_watch() in fs/notify/inotify/inotify_user.c. The regression was introduced by commit 1cce1eea0aff ('inotify: Convert to using per-namespace limits'), which restructured the ordering of inc_inotify_watches() relative to the actual mark insertion via fsnotify_add_inode_mark_locked(). Prior to that commit, inc_inotify_watches() was only called after successful insertion; the conversion moved it before insertion without adding the symmetric rollback in the error path. Conceptually this maps to CWE-772 (Missing Release of Resource after Effective Lifetime) - a resource accounting leak, not a memory leak per se. Affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, spanning all stable branches that contain the regressing commit.

RemediationAI

Upgrade to a patched kernel version: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1, as published to the upstream stable tree at https://git.kernel.org/stable/. Distribution maintainers (Red Hat, Debian, Ubuntu, SUSE, etc.) are expected to backport these one-line fixes; consult your distribution's security advisory channel. If immediate kernel patching is not possible, a targeted compensating control is to lower the fs.inotify.max_user_watches sysctl (e.g., sysctl -w fs.inotify.max_user_watches=256) to minimize the window of exhaustion - trade-off: legitimate inotify-heavy applications such as IDEs or container runtimes may hit the limit prematurely and require per-application tuning. Additionally, restricting interactive shell or syscall access for untrusted local users via seccomp profiles or user namespace restrictions will prevent the necessary syscall invocation entirely, which is the most durable mitigation short of patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy