CVE-2026-46040
Analyzed Analyzed - Analysis Complete
Watch Count Leak in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46040
EUVD
EUVD-2026-32421
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 4.11 (inc) to 5.10.258 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's inotify subsystem. When the function fsnotify_add_inode_mark_locked() fails during the creation of a new inotify watch (inotify_new_watch()), the error handling path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to decrement the watch count that was previously incremented by inc_inotify_watches().

As a result, the watch count leaks and is not properly decremented. Repeated failures can cause the system to exhaust the maximum number of user watches (max_user_watches), leading to an -ENOSPC error, even though no active watches exist.

This issue arose after a code change that moved the increment of the watch count before the mark insertion without adding the corresponding rollback in case of failure. The fix adds the missing dec_inotify_watches() call in the error path to properly undo the increment.

Impact Analysis

This vulnerability can lead to a resource leak in the form of an inflated watch count in the inotify subsystem of the Linux kernel.

Because the watch count is not properly decremented on failure, repeated failures can exhaust the maximum allowed number of user watches (max_user_watches).

When this limit is reached, attempts to create new inotify watches will fail with an -ENOSPC error, even if no actual watches are active. This can disrupt applications or services that rely on inotify for file system event monitoring, potentially causing failures or degraded functionality.

Mitigation Strategies

The vulnerability is caused by a watch count leak in the Linux kernel's inotify subsystem when fsnotify_add_inode_mark_locked() fails. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue, which adds the missing dec_inotify_watches() call in the error path.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart