CVE-2026-46150 Linux CVE debrief

Who should care

System administrators running Linux systems with fanotify-based security software; security teams relying on fanotify for file access monitoring or access control enforcement; kernel maintainers and distribution packagers responsible for stable kernel updates

Technical summary

The fanotify subsystem in the Linux kernel contains a vulnerability where permission events may produce false positives. When `fsnotify_get_mark_safe()` encounters a mark on an unrelated group, it returns false, which the permission event handler interprets as a signal to bypass the permission check entirely. The root cause is improper handling of detached marks during permission event processing. The fix modifies the logic to distinguish between marks that should trigger permission validation and detached marks from other groups that should be skipped without aborting the check. This is a logic flaw in access control enforcement with potential security implications for systems using fanotify for mandatory access control or security monitoring.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits once available from your Linux distribution
• Verify fanotify-based security tools (malware scanners, file integrity monitors) are configured to detect anomalous access patterns as defense in depth
• Monitor for unexpected permission event behavior in systems relying on fanotify for access control decisions
• Review custom fanotify implementations for assumptions about mark state consistency

Evidence notes

The vulnerability description indicates a logic flaw where `fsnotify_get_mark_safe()` returning false for marks on unrelated groups leads to permission check bypass. The fix involves correctly handling detached marks by skipping those not in the current group. Multiple stable kernel commits are referenced, indicating backports to affected versions.

Official resources