Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46040— inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

AI Predicted 5.3 Difficulty: Moderate EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux1cce1eea0aff51201753fcaca421df825b0813b6< 3ab58cf42c46bf2366d2f55ae5c59299d5e178b7affected
1cce1eea0aff51201753fcaca421df825b0813b6< 10edf7e0ffdc7faa18e2244b17722c1b882b8273affected
1cce1eea0aff51201753fcaca421df825b0813b6< 3ad9ccea1b25435f6179b57aa891960beb7ce8f9affected
1cce1eea0aff51201753fcaca421df825b0813b6< 8bcc1cd237ab5ccfdd102869fa031c541943cf40affected
1cce1eea0aff51201753fcaca421df825b0813b6< 73ddc8518a32baff6bc17afda4ee1ebae5b4ed12affected
1cce1eea0aff51201753fcaca421df825b0813b6< fdaa42ca370d056428e5e171247c8fdce8dff36aaffected
1cce1eea0aff51201753fcaca421df825b0813b6< 9e48844f708eb48bae4e79cb21edc097c966306daffected
1cce1eea0aff51201753fcaca421df825b0813b6< 6a320935fa4293e9e599ec9f85dc9eb3be7029f8affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46040

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于inotify_new_watch函数中fsnotify_add_inode_mark_locked失败时未减少监视计数,可能导致监视计数泄漏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1cce1eea0aff51201753fcaca421df825b0813b6 ~ 3ab58cf42c46bf2366d2f55ae5c59299d5e178b7 -
LinuxLinux 4.11 -

II. Public POCs for CVE-2026-46040

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46040

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46040 (8)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-459707.8 HIGHbonding: alb: fix UAF in rlb_arp_recv during bond up/down
CVE-2026-459807.8 HIGHaccel/amdxdna: Stop job scheduling across aie2_release_resource()
CVE-2026-459317.8 HIGHaccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
CVE-2026-460537.8 HIGHnet: rds: fix MR cleanup on copy error
CVE-2026-459297.8 HIGHovpn: fix possible use-after-free in ovpn_net_xmit
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-458787.8 HIGHdrm/amdkfd: Fix watch_id bounds checking in debug address watch v2
CVE-2026-460587.8 HIGHmedia: amphion: Fix race between m2m job_abort and device_run

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46040

No comments yet

Leave a comment