{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52990","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.376Z","datePublished":"2026-06-24T16:29:04.148Z","dateUpdated":"2026-06-24T16:29:04.148Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-24T16:29:04.148Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: fix inode reference leak in fsnotify_recalc_mask()\n\nfsnotify_recalc_mask() fails to handle the return value of\n__fsnotify_recalc_mask(), which may return an inode pointer that needs\nto be released via fsnotify_drop_object() when the connector's HAS_IREF\nflag transitions from set to cleared.\n\nThis manifests as a hung task with the following call trace:\n\n  INFO: task umount:1234 blocked for more than 120 seconds.\n  Call Trace:\n   __schedule\n   schedule\n   fsnotify_sb_delete\n   generic_shutdown_super\n   kill_anon_super\n   cleanup_mnt\n   task_work_run\n   do_exit\n   do_group_exit\n\nThe race window that triggers the iref leak:\n\n  Thread A (adding mark)              Thread B (removing mark)\n  ──────────────────────              ────────────────────────\n  fsnotify_add_mark_locked():\n    fsnotify_add_mark_list():\n      spin_lock(conn->lock)\n      add mark_B(evictable) to list\n      spin_unlock(conn->lock)\n    return\n\n    /* ---- gap: no lock held ---- */\n\n                                      fsnotify_detach_mark(mark_A):\n                                        spin_lock(mark_A->lock)\n                                        clear ATTACHED flag on mark_A\n                                        spin_unlock(mark_A->lock)\n                                        fsnotify_put_mark(mark_A)\n\n    fsnotify_recalc_mask():\n      spin_lock(conn->lock)\n      __fsnotify_recalc_mask():\n        /* mark_A skipped: ATTACHED cleared */\n        /* only mark_B(evictable) remains */\n        want_iref = false\n        has_iref = true  /* not yet cleared */\n        -> HAS_IREF transitions true -> false\n        -> returns inode pointer\n      spin_unlock(conn->lock)\n      /* BUG: return value discarded!\n       * iput() and fsnotify_put_sb_watched_objects()\n       * are never called */\n\nFix this by deferring the transition true -> false of HAS_IREF flag from\nfsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B)."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/notify/mark.c"],"versions":[{"version":"c3638b5b13740fa31762d414bbce8b7a694e582a","lessThan":"8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42","status":"affected","versionType":"git"},{"version":"c3638b5b13740fa31762d414bbce8b7a694e582a","lessThan":"b740cc86816bbc87902ae9db74cd21abde3c8d63","status":"affected","versionType":"git"},{"version":"c3638b5b13740fa31762d414bbce8b7a694e582a","lessThan":"5c80289503da3658e3df80280598c68d181eadbd","status":"affected","versionType":"git"},{"version":"c3638b5b13740fa31762d414bbce8b7a694e582a","lessThan":"4aca914ac152f5d055ddcb36704d1e539ac08977","status":"affected","versionType":"git"},{"version":"ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe","status":"affected","versionType":"git"},{"version":"4f145b67c075324b13d6ae7d5abb6e7a1dbac26d","status":"affected","versionType":"git"},{"version":"5.10.220","lessThan":"5.11","status":"affected","versionType":"semver"},{"version":"5.15.154","lessThan":"5.16","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/notify/mark.c"],"versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.220"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.154"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42"},{"url":"https://git.kernel.org/stable/c/b740cc86816bbc87902ae9db74cd21abde3c8d63"},{"url":"https://git.kernel.org/stable/c/5c80289503da3658e3df80280598c68d181eadbd"},{"url":"https://git.kernel.org/stable/c/4aca914ac152f5d055ddcb36704d1e539ac08977"}],"title":"fsnotify: fix inode reference leak in fsnotify_recalc_mask()","x_generator":{"engine":"bippy-1.2.0"}}}}