-
CVE-2026-52990
- EPSS 0.18%
- Veröffentlicht 24.06.2026 16:29:04
- Zuletzt bearbeitet 10.07.2026 19:24:19
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fsnotify: fix inode reference leak in fsnotify_recalc_mask()
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: fix inode reference leak in fsnotify_recalc_mask()
fsnotify_recalc_mask() fails to handle the return value of
__fsnotify_recalc_mask(), which may return an inode pointer that needs
to be released via fsnotify_drop_object() when the connector's HAS_IREF
flag transitions from set to cleared.
This manifests as a hung task with the following call trace:
INFO: task umount:1234 blocked for more than 120 seconds.
Call Trace:
__schedule
schedule
fsnotify_sb_delete
generic_shutdown_super
kill_anon_super
cleanup_mnt
task_work_run
do_exit
do_group_exit
The race window that triggers the iref leak:
Thread A (adding mark) Thread B (removing mark)
────────────────────── ────────────────────────
fsnotify_add_mark_locked():
fsnotify_add_mark_list():
spin_lock(conn->lock)
add mark_B(evictable) to list
spin_unlock(conn->lock)
return
/* ---- gap: no lock held ---- */
fsnotify_detach_mark(mark_A):
spin_lock(mark_A->lock)
clear ATTACHED flag on mark_A
spin_unlock(mark_A->lock)
fsnotify_put_mark(mark_A)
fsnotify_recalc_mask():
spin_lock(conn->lock)
__fsnotify_recalc_mask():
/* mark_A skipped: ATTACHED cleared */
/* only mark_B(evictable) remains */
want_iref = false
has_iref = true /* not yet cleared */
-> HAS_IREF transitions true -> false
-> returns inode pointer
spin_unlock(conn->lock)
/* BUG: return value discarded!
* iput() and fsnotify_put_sb_watched_objects()
* are never called */
Fix this by deferring the transition true -> false of HAS_IREF flag from
fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
c3638b5b13740fa31762d414bbce8b7a694e582a
Version <
8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
Status
affected
Version
c3638b5b13740fa31762d414bbce8b7a694e582a
Version <
b740cc86816bbc87902ae9db74cd21abde3c8d63
Status
affected
Version
c3638b5b13740fa31762d414bbce8b7a694e582a
Version <
5c80289503da3658e3df80280598c68d181eadbd
Status
affected
Version
c3638b5b13740fa31762d414bbce8b7a694e582a
Version <
4aca914ac152f5d055ddcb36704d1e539ac08977
Status
affected
Version
ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe
Status
affected
Version
4f145b67c075324b13d6ae7d5abb6e7a1dbac26d
Status
affected
Version
5.10.220
Version <
5.11
Status
affected
Version
5.15.154
Version <
5.16
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.19
Status
affected
Version
0
Version <
5.19
Status
unaffected
Version <=
6.12.*
Version
6.12.91
Status
unaffected
Version <=
6.18.*
Version
6.18.33
Status
unaffected
Version <=
7.0.*
Version
7.0.10
Status
unaffected
Version <=
*
Version
7.1
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.072 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|
https://git.kernel.org/stable/c/8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
https://git.kernel.org/stable/c/b740cc86816bbc87902ae9db74cd21abde3c8d63
https://git.kernel.org/stable/c/5c80289503da3658e3df80280598c68d181eadbd
https://git.kernel.org/stable/c/4aca914ac152f5d055ddcb36704d1e539ac08977