CVE-2026-52990
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fsnotify: fix inode reference leak in fsnotify_recalc_mask() fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- */ fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52990
EUVD
EUVD-2026-38858
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's fsnotify subsystem, specifically in the fsnotify_recalc_mask() function. The function fails to properly handle the return value of __fsnotify_recalc_mask(), which can return an inode pointer that must be released using fsnotify_drop_object(). When the connector's HAS_IREF flag changes from set to cleared, this inode pointer is not released, causing an inode reference leak.

This leak can cause tasks to hang, as demonstrated by a blocked umount task in the kernel call trace. The root cause is a race condition between two threads: one adding a mark and another removing a mark. The transition of the HAS_IREF flag from true to false is mishandled, leading to the inode pointer not being freed and resulting in resource leakage.

The fix involves deferring the transition of the HAS_IREF flag from true to false from fsnotify_recalc_mask() to fsnotify_put_mark(), ensuring proper release of the inode pointer and preventing the leak.

Impact Analysis

This vulnerability can cause tasks in the Linux kernel to hang or become blocked for extended periods, as inode references are leaked and not properly released. This can lead to resource exhaustion, degraded system performance, or instability.

In practical terms, system operations such as unmounting filesystems may stall, potentially impacting system availability and reliability.

Detection Guidance

This vulnerability manifests as a hung task with a specific call trace involving the umount task being blocked for more than 120 seconds.

To detect this issue on your system, you can look for hung tasks related to unmount operations and check kernel logs for call traces similar to the following:

  • Look for messages like: "INFO: task umount:<pid> blocked for more than 120 seconds."
  • Examine the kernel call trace for functions such as __schedule, schedule, fsnotify_sb_delete, generic_shutdown_super, kill_anon_super, cleanup_mnt, task_work_run, do_exit, and do_group_exit.

You can use commands like `dmesg | grep 'task umount'` or `journalctl -k | grep 'task umount'` to find relevant kernel log entries.

Additionally, monitoring hung or blocked tasks using tools like `ps`, `top`, or `htop` and checking for tasks stuck in uninterruptible sleep (D state) may help identify the problem.

Mitigation Strategies

The vulnerability is caused by an inode reference leak in the fsnotify_recalc_mask() function due to improper handling of the HAS_IREF flag transition.

Immediate mitigation involves applying the fix that defers the transition of the HAS_IREF flag from fsnotify_recalc_mask() to fsnotify_put_mark(), ensuring proper release of inode pointers.

Since this is a Linux kernel vulnerability, the recommended immediate step is to update your Linux kernel to a version that includes the patch resolving this issue.

If updating the kernel is not immediately possible, consider avoiding workloads or operations that trigger heavy use of fsnotify marks, such as frequent mount/unmount operations, until the patch can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart