CVE-2026-46040 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams monitoring for local denial-of-service conditions affecting file system monitoring infrastructure

Technical summary

The inotify_new_watch() function in fs/notify/inotify/inotify_user.c increments the per-user watch count via inc_inotify_watches() before attempting to insert the mark with fsnotify_add_inode_mark_locked(). When this insertion fails, the error path calls inotify_remove_from_idr() to clean up the IDR entry but omits dec_inotify_watches(), leaving the counter elevated. Repeated failures allow unprivileged users to exhaust max_user_watches, causing subsequent legitimate inotify operations to fail with -ENOSPC. The vulnerability is a regression from the per-namespace limits conversion in commit 1cce1eea0aff.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor for -ENOSPC errors from inotify_add_watch() that occur despite low active watch counts
• Audit applications using inotify for error handling that may trigger repeated failed watch creation attempts
• Consider temporary increase of fs.inotify.max_user_watches sysctl if operational impact occurs before patching
• Review kernel changelogs for backport status to your specific kernel version

Evidence notes

Vulnerability description confirms the bug was introduced during conversion to per-namespace limits in commit 1cce1eea0aff. The fix adds dec_inotify_watches() to the error path in inotify_new_watch(). Five stable kernel commits provided indicate backports to multiple supported branches. No CVSS score assigned by NVD at time of disclosure.

Official resources